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Abstract 

We present a tractable method for synthesizing arbitrarily large concurrent programs, for 
a shared memory model with common hardware-available primitives such as atomic registers, 
compare-and-swap, load- linked/store conditional, etc. The programs we synthesize are dynamic: 
new processes can be created and added at run-time, and so our programs are not finite-state, in 
general. Nevertheless, we successfully exploit automatic synthesis and model-checking methods 
based on propositional temporal logic. Our method is algorithmically efficient, with complexity 
polynomial in the number of component processes (of the program) that are "alive" at any time. 
Our method does not explicitly construct the automata-theoretic product of all processes that 
are alive, thereby avoiding state explosion. Instead, for each pair of processes which interact, 
our method constructs an automata-theoretic product (pair-machine) which embodies all the 
possible interactions of these two processes. From each pair-machine, we can synthesize a 
correct pair-program which coordinates the two involved processes as needed. We allow such 
pair-programs to be added dynamically at run-time. They are then "composed conjunctively" 
with the currently alive pair-programs to re-synthesize the program as it results after addition 
of the new pair-program. We are thus able to add new behaviors, which result in new properties 
being satisfied, at run-time. This "incremental composition" step has complexity independent 
of the total number of processes, it only requires the mechanical analysis of the two processes in 
the pair-program, and their immediate neighbors, i.e., the other processes which they interact 
directly with. We establish a "large model" theorem which shows that the synthesized large 
program inherits correctness properties from the pair-programs. 



1 Introduction 



We exhibit a method of mechanically synthesizing a concurrent program consisting of a large, and 
dynamically varying, number of sequential processes executing in parallel. Our programs operate in 
shared memory, commonly available hardware primitives, such as using read and write operations 
on atomic registers, compare-and-swap, load- linked/store conditional. Even thought our synthesis 
method is largely mechanical, we only require that each process have a finite number of actions, 
and that the data referred to in action guards be finite. Underlying data that processes operate 
on, and which does not affect action guards, can be infinite. Also, since the number of processes 
can increase without limit, the synthesized program as a whole is not finite-state. In addition, our 
method is computationally efficient, it does not explicitly construct the automata-theoretic product 
of a large number of processes (e.g., all processes that are "alive" at some point) and is therefore 
not susceptible to the state-explosion problem, i.e., the exponential growth of the number of global 
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states with the number of processes, which is widely acknowledged to be the primary impediment 
to large-scale application of mechanical verification methods. 

Rather than build a global product, our method constructs the product of small numbers of 
sequential processes, and in particular, the product of each pair of processes that interact, thereby 
avoiding the exponential complexity in the number of processes that are "alive" at any time. The 
product of each pair of interacting processes, or pair-machine, is a Kripke structure which embodies 
the interaction of the two processes. The pair-machines can be constructed manually, and then 
efficiently model-checked (since it is small) to verify pair-properties: behavioral properties of the 
interaction of the two processes, when viewed in isolation from the remaining processes. Alterna- 
tively, the pair-properties can be specified first, and the pair-machine automatically synthesized 
from the pair-properties by the use of mechanical synthesis methods such as [EC82, MW84, KV97]. 
Again this is efficient since the pair-machines are small. 

Corresponding to each pair-machine is a pair-program, a syntactic realization of the pair- 
machine, which generates the pair-machine as its global-state transition diagram. Finally, we 
syntactically compose all of the pair-programs. This composition has a conjunctive nature: a pro- 
cess Pi can make a transition iff that transition is permitted by all of the pair-programs in which 
Pi participates. We allow such "pair-programs" to be added dynamically at run-time. They are 
then composed with the currently alive pair-programs to re-synthesize the program as it results 
after addition of the new pair-program. We are thus able to add new behaviors, which result in 
new properties being satisfied, at run-time. The use of pairwise composition greatly facilitates 
this, since the addition of a new pair-program does not disturb the correctness properties which 
are satisfied by the currently present pair-programs. We establish a "large model" theorem which 
shows that the synthesized large program inherits correctness properties from the pair-programs. 

Since the pair-machines are small, and since the composition step operates on syntax, i.e., the 
pair-programs themselves, and not their state-transition diagrams, our method is computationally 
efficient. In particular, the dynamic addition of a single pair-program requires a mechanical synthe- 
sis or model checking step whose complexity is independent of the total number of alive processes 
at the time, but which depends only on the checking products of the two processes involved in the 
pair-program, together with some of their neighbors, i.e., the processes which they immediately 
interact with. Our method thus overcomes the severe limitations previously imposed by state- 
explosion on the applicability of automatic synthesis methods, and extends these methods to the 
new domain of dynamic programs. 

Our method can generate systems under arbitrary process interconnection schemes, e.g., fully 
connected, ring, star. In our model of parallel computation, two processes arc interconnected if and 
only if either (1) one process can inspect the local state of the other process or (2) both processes 
read and/or write a common variable, or both. 

The method requires the pair-programs to satisfy certain technical assumptions, thus it is not 
completely general. Nevertheless, it is applicable in many interesting cases. We illustrate our 
method by synthesizing a ring-based two phase commit protocol. Using the large model theorem, we 
show that correctness properties that two processes of the ring satisfy when interacting in isolation 
carry over when those processes are part of the ring. We then easily construct a correctness proof 
for the ring using these properties. We note that the ring can contain an arbitrarily large number 
of processes, i.e., we really synthesize a family of rings, one for each natural number. 

A crucial aspect of our method is its soundness: which correctness properties can be estab- 
lished for our synthesized programs? We establish a "large model" theorem which shows that 
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the synthesized program inherits all of the correctness properties of the pair-programs, i.e., the 
pair-properties. We express our pair-properties in the branching time temporal logic ACTL [GL94] 
minus the nexttime operator. In particular, propositional invariants and some temporal leads-to 
properties of any pair-program also hold of the synthesized program. (A temporal leads-to prop- 
erty has the following form: if condition 1 holds now, then condition 2 eventually holds. ACTL 
can express temporal leads-to if condition 1 is purely propositional.) In addition, we can use a 
suitable deductive system to combine the pair-properties to deduce correctness properties of the 
large program which are not directly expressible in pairwise fashion. 

This paper extends our previous work [AE98] on the synthesis of large concurrent programs in 
four important directions: 

1. It eliminates the requirement that all pair-programs be isomorphic to each other, which in 
effect constrains the synthesized program to contain only one type of interaction amongst its 
component processes. In our method, every process can be nonisomorphic with every other 
process, and our method would still be computationally efficient. 

2. It extends the set of correctness properties that are preserved from propositional invariants 
and propositional temporal leads-to properties (i,e., leads-to properties where the conditions 
are purely propositional) to formulae that can contain arbitrary nesting of temporal modali- 
ties. 

3. It eliminates the requirement that the number of processes of the synthesized program be 
fixed: our previous work synthesized an infinite family of programs, each of which contains 
a large, but fixed, number of processes. By contrast, the current method produces a single 
program, in which the number of processes can dynamically increase at run-time. 

4. It produces programs that do not require a large grain of atomicity: in [Att99, AE98], each 
process needed to atomically inspect the state of all of its neighbors (i.e., all processes with 
which it is composed in some pair-program) in a single transition. By contrast, the cur- 
rent method produces programs that operate using only hardware-available primitives for 
interprocess communication and synchronization. 

To demonstrate the utility of our method, we apply it to synthesize a two-phase commit protocol, 
and a replicated data service. 

Related work. Previous synthesis methods [AM94, DWT90, EC82, KMTVOO, KV97, MW84, 
PR89a, PR89b] all rely on some form of exhaustive state space search, and thus suffer from the 

state- explosion problem: synthesizing a concurrent program consisting of K sequential processes, 
each with 0{N) local states, requires building the global state transition diagram of size 0{N^). 
There are a number of methods proposed for verifying correctness properties of an infinite family 
of finite-state processes [APR+01, CGB86, EKOO, EN96, PRZOl, SG92]. All of these deal with 
an infinite family of concurrent programs, where each program consists of a possibly large, but 
fixed set of processes. No method to date can verify or synthesize a single concurrent program 
in which processes can be dynamically created at run time. Furthermore, all methods to date 
that deal with large concurrent programs, apart from our own previous work [Att99, AE98] make 
the "parametrized system" assumption: the processes can be partitioned into a small number of 
"equivalence classes," within each of which all processes are isomorphic. Hence, in eliminating these 
two significant restrictions, our method is a significant improvement over the previous literature, 
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and moves automated synthesis methods close to the realm of practical distributed algorithms. 
We illustrate this point by using our method to synthesize a replicated data service based on the 
algorithms of [FGL+OO, LLSG92]. Our algorithm is actually more flexible, since it permits the 
dynamic addition of more replicas at run time. Some synthesis method in the literature synthesize 
"open systems," or "reactive modules," which interact with an environment, and are required 
to satisfy a specification regardless of the environment's behavior. The main argument for open 
systems synthesis is that open systems can deal with any "input" which the environment presents. 
We can achieve this effect by using the "exists nexttime" (EX) modality of the temporal logic CTL 
[EC82, Eme90]. We illustrate this in our replicated data service example, where we specify that a 
client can submit operations at any time. 

The rest of the paper is as follows. Section 2 presents our model of concurrent computation. 
Section 3 discusses temporal logic and fairness. Section 4 presents a restricted version of the 
method, which is only applicable to static concurrent programs: those with a fixed set of processes. 
This approach simplifies the development and exposition of our method, Section 5 establishes 
the soundness of the synthesis method for static programs. Section 6 presents the two phase 
commit example, which can be treated with the restricted method. Section 7 presents the general 
synthesis method, which can produce dynamic concurrent programs. Section 8 shows that the 
general method is sound. Section 9 outlines how the synthesized programs can be implemented 
using atomic registers. In Section 10 we use our method to synthesize an eventually-serializable 
replicated data service. Section 11 discusses further work and concludes. 

2 Model of Concurrent Computation 

We assume the existence of a possibly infinite, universal set Pids of unique process indices. A 
concurrent program P consists of a finite, unbounded, and possibly varying number of sequential 
processes Pj, i G Pids running in parallel, i.e., P = Pi || • • • \\Pk where Pi, ... , Pk execute in parallel 
and are the processes that have been "created" so far. For technical convenience, we do not allow 
processes to be "destroyed" in our model. Process destruction can be easily emulated by having a 
process enter a "sink" state, from which it has no enabled actions. 

With every process P^, we associate a single, unique index, namely i. Two processes are similar 
if and only if one can be obtained from the other by swapping their indices. Intuitively, this 
corresponds to concurrent algorithms where a single "generic" indexed piece of code gives the code 
body for all processes. 

As stated above, we compose a dynamically varying number of pair-programs to synthesize the 
overall program. To define the syntax and semantics of the pair-programs, we use the synchro- 
nization skeleton model of [EC82] . The synchronization skeleton of a process Pi is a state-machine 
where each state represents a region of code that performs some sequential computation and each 
arc represents a conditional transition (between different regions of sequential code) used to enforce 
synchronization constraints. For example, a node labeled Q may represent the critical section of P^. 
While in Ci, Pi may increment a single variable, or it may perform an extensive series of updates 
on a large database. In general, the internal structure and intended application of the regions of 
sequential code are unspecified in the synchronization skeleton. The abstraction to synchronization 
skeletons thus eliminates all steps of the sequential computation from consideration. 

Formally, the synchronization skeleton of each process Pi is a directed graph where each node 
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Si is a unique local state of Pi, and each arc has a label of the form (Bg^[n]B(- ^ ^li^ where each 
Bi — > is a guarded command [Dij76], and © is guarded command "disjunction," i.e., the arc is 
equivalent to n arcs, between the same pair of nodes, each labeled with one of the Bi A^. Let 
Pi denote the synchronization skeleton of process i with all the arc labels removed. 

Roughly, the operational semantics of ©^g[„]5£ — > A^^ is that if one of the Bi evaluates to true, 
then the corresponding body A^ can be executed. If none of the B^ evaluates to true, then the 
command "blocks," i.e., waits until one of the Bf holds. Each node must have at least one outgoing 
arc, i.e., a skeleton contains no "dead ends," and two nodes are connected by at most one arc in 
each direction. A (global) state is a tuple of the form (si, . . . , sk,vi, . . . , Vm) where each Sj is the 
current local state of Pj, and vi, . . . , is a list giving the current values of all the shared variables, 
xi, . . . , .x„t (we assume these are ordered in a fixed way, so that vi, . . . , Vm specifies a unique value 
for each shared variable). A guard i? is a predicate on states, and a body A is a parallel assignment 
statement that updates the values of the shared variables. If B is omitted from a command, it 
is interpreted as true, and we write the command as A. If A is omitted, the shared variables are 
unaltered, and we write the command as B. 

We model parallelism in the usual way by the nondeterministic interleaving of the "atomic" 
transitions of the individual synchronization skeletons of the processes Pj. Hence, at each step 
of the computation, some process with an "enabled" arc is nondeterministically selected to be 
executed next. Assume that the current state is s = (si, . . . , s,, . . . , sk, vi,... , Vm) and that Pi 
contains an arc from Si to s' labeled by the command B ^ A. If S is true in s, then a permissible 
next state is {si, . . . , s[, . . . , sk,v'i, . . . , v!^) where v[, . . . ,v'^ is the list of updated values for the 
shared variables produced by executing A in state s. The arc from Sj to is said to be enabled in 
state s. An arc that is not enabled is disabled, or blocked. A (computation) path is any sequence 
of states where each successive pair of states is related by the above next-state relation. If the 
number of processes is fixed, then the concurrent program can be written as Pi|| • • • \\Pk, where K 
is fixed. In this case, we also specify a a set of global states in which execution is permitted to 
start. These are the initial states. The program is then written as (^o, Pi|| • • • \\Pk)- An initialized 
(computation) path is a computation path whose first state is an initial state. A state is reachable 
iff it lies along some initialized path. 

3 Temporal Logic and Fairness 

CTL* is a propositional branching time temporal logic [Eme90] whose formulae are built up from 
atomic propositions, propositional connectives, the universal (A) and existential (E) path quanti- 
fiers, and the linear-time modalities nexttime (by process j) Xj, and strong until U. The sublogic 
ACTL* [GL94] is the "universal fragment" of CTL*: it results from CTL by restricting negation to 
propositions, and eliminating the existential path quantifier E. The sublogic CTL [EC82] results 
from restricting CTL* so that every linear-time modality is paired with a path quantifier, and vice- 
versa. The sublogic ACTL [GL94] results from restricting ACTL* in the same way. The linear-time 
temporal logic PTL [MW84] results from removing the path quantifiers from CTL*. 

We have the following syntax for CTL*. We inductively define a class of state formulae (true 
or false of states) using rules (S1)-(S3) below and a class of path formulae (true or false of paths) 
using rules (P1)-(P3) below: 

^ [n] denotes the integers from 1 to n inclusive. 
^This interpretation was proposed by [Dij82]. 
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(51) The constants true and false are state formulae, p is a state formulae for any atomic proposition 
p. 

(52) If f,g are state formulae, then so are f A g, -■/. 

(53) If / is a path formula, then A/ is a state formula. 
(PI) Each state formula is also a path formula; 

(P2) If f,g are path formulae, then so are f A g, -■/. 
(P3) If f,g are path formulae, then so are Xj/, f[ig. 

The linear-time temporal logic PTL [MW84] consists of the set of path formulae generated by 
rules (SI) and (P1)-(P3). We also introduce some additional modalities as abbreviations: F/ 

oo 

(eventually) for [truelif], Gf (always) for ^F-i/, [/Uw^] (weak until) for [fUg] VG/, F/ (infinitely 

oo 

often) for GF/, and Gf (eventually always) for FG/. 
Likewise, we have the following syntax for ACTL*. 

(51) The constants true and false are state formulae, p and -ip are state formulae for any atomic 
proposition p. 

(52) If f,g are state formulae, then so are f A g, f y g. 

(53) If / is a path formula, then A/ is a state formula. 
(PI) Each state formula is also a path formula; 

(P2) If f,g are path formulae, then so are f A g, f \/ g. 
(P3) If /, 5 are path formulae, then so are Xj/, f\}g, and fV^g. 
The logic ACTL [GL94] is obtained by replacing rules (S3),(P1)-(P3) by (S3'): 

(S3') If f,g are state formulae, then so are ^Xjf, A[f\Jg], and A[/Uw5]. 

The set of state formulae generated by rules (S1)-(S3) and (PO) forms ACTL. The logic ACTL" 
is the logic ACTL without the AX^ modality. We define the logic ACTL* - X to be the logic ACTL* 
without the Xj modality, and the logic ACTL^ to be ACTL without the AXj modality, and the 
logic ACTL". to be ACTL" where the atomic propositions are drawn only from AVi U AVj . 

Formally, we define the semantics of CTL* formulae with respect to a structure M = {S, R) 
consisting of 

• S, a countable set of states. Each state is a mapping from the set AV of atomic propositions 
into {true, false}, and 

• R = UiePids^' where Ri C S x {i} x S is a binary relation on S giving the transitions of 
process i. 

Here AV = UjePids "^^^i '^ticrc AVi is the set of atomic propositions that "belong" to process i. 
Other processes can read propositions in AVi, but only process i can modify these propositions 
(which collectively define the local state of process i). 

A path is a sequence of states (si, S2 • • •) such that Vz, (sj, Sj+i) G R, and a fullpath is a maximal 
path. A fullpath (si, S2, • • •) is infinite unless for some Sk there is no Sk+i such that (s^, Sfc+i) G R. 
We use the convention (1) that vr = (si, S2, ■ ■ .) denotes a fullpath and (2) that tt* denotes the suffix 
(sj, Si+i, Si+2, . . .) of TT, provided i < |7r|, where |7r|, the length of vr, is to when vr is infinite and 
k when tt is finite and of the form (si, . . . , s^.); otherwise tt' is undefined. We also use the usual 
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notation to indicate truth in a structure: M, si \= f (respectively M, tt |= /) means that / is true 
in structure M at state si (respectively of fullpath vr). In addition, we use M,S |= / to mean 
Vs G S* : (M, s \= f), where S* is a set of states. We define \= inductively: 

(51) M,si \= true and M,si ^ false. M,si ^ p iff si{p) = true. M,si \= -ip iff si{p) = false. 

(52) M,si ^fAg iff M,si ^ / and M, si 
M,si ^fWg iff M,si ^/or M,si ^g 

(53) M, si ^ A/ iff for every fullpath tt = (si, S2, ...)mM: M, tt ^ / 
(PI) M,7r iff M,si 

(P2) M, TT ^ / A 5 iff M,Tr \= f and M,7: \= g 
M,it\= fy g iff M, TT ^ / or M, TT ^ 5 

(P3) M,7r H Xj/ iff TT^ is defined and (si,S2) e Rj and M,7r2 ^ / 
M, TT 1= f\}g iff there exists i € [1 : |7r|] such that 

M, vr* ^ 5 and for all j G [1 : (i - 1)]: M, tt^' ^ / 
M,7r ^ /Uw5 iff for all i G [1 : |7r|] 

if M, ttJ ^ for all j then M, tt^ ^ / 

When the structure M is understood from context, it may be omitted (e.g., M, si |= p is written as 
si \= p). Since the other logics are all sublogics of CTL*, the above definition provides semantics 
for them as well. We refer the reader to [Eme90] for details in general, and to [GL94] for details of 
ACTL. 

3.1 Fairness 

To guarantee liveness properties of the synthesized program, we use a form of weak fairness. Fairness 
is usually specified as a linear-time logic (i.e., PTL) formula and a fullpath is fair iff it satisfies 
To state correctness properties under the assumption of fairness, we relativize satisfaction (|=) 
so that only fair fullpaths are considered. The resulting notion of satisfaction, is defined by 
[EL87] as follows: 

(S3-fair) M, si A/ iff for every $-fair fullpath tt = (si, S2, . . .) in M: M, tt |= / 
Effectively, path quantification is only over the paths that satisfy 

4 Synthesis of Static Concurrent Programs 

To simplify the development and exposition of our method, we first present a restricted case, where 
we synthesize static concurrent programs, i.e., those with a fixed set of processes. We extend the 
method to dynamic concurrent programs in Section 7 below. 

As stated earlier, our aim is to synthesize a large concurrent program P = Pi^ \\ ... || 
without explicitly generating its global state transition diagram, and thereby incurring time and 
space complexity exponential in the number of component processes of P. We achieve this by 
breaking the synthesis problem down into two steps: 

1. For every pair of processes in P that interact directly, synthesize a pair-program that describes 
their interaction. 
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2. Combine all the pair-programs to produce P. 

When we say Pi and Pj interact directly, we mean that each process can read the other processe's 
atomic propositions (which, recall, encode the processe's local state), and that they have a set 
STlij of shared variables that they both read and write. We define the interconnection relation 
I C {ii, . . . X {ii, . . . jix} X ACTL^ as follows: {i,j, fij) G / iff and Pj interact directly, 
and fij is an ACTL~ formula specifying this interaction. In the sequel we let spec^j denote the 
specification associated with and we say that {ii,. . . ,1^} is the domain of /. We introduce 
the "spatial modality" which quantifies over all pairs such that i and j arc related by 

/. Thus, J\-j speCj^j is equivalent to y{i, j, specij) G / : specij. We stipulate that / is "ir reflexive," 
that is, {i,i,fij) / for all i,fij, and that every process interacts directly with at least one other 
process: Vz G : {3j,fij : (i,jjij) G / V {j,i,fij) G /). Furthermore, for any pair of 

process indices i,j, I contains at most one pair {k,l!.,fki) such that k G and I G {i,j}- In 

the sequel, wc say that i and j are neighbors when {i,j,fij) G / or {j,i,fij) G /, for some fij. We 
shall sometimes abuse notation and write (i, j) G I (or il j) for 3fij : {{i, j, fij) G / V (j, i, fij) G /). 
We also introduce the following abbreviations: I{i) denotes the set {j \ il j}; and I{i) denotes 
the set {i} U {j \ il j}. Since the interconnection relation I embodies a complete specification, we 
shall refer to a program that has been synthesized from / as an I-program, and to its component 
processes as I -processes. 

Since our focus in this article is on avoiding state-explosion, we shall not explicitly address 
step 1 of the synthesis method outlined above. Any method for deriving concurrent programs 
from temporal logic specifications can be used to generate the required pair-programs, e.g., the 
synthesis method of [EC82]. Since a pair-program has only O(iV^) states (where N is the size of 
each sequential process) , the problem of deriving a pair-program from a specification is considerably 
easier than that of deriving an /-program from the specification. Hence, the contribution of this 
article, namely the second step above, is to reduce the more difficult problem (deriving the I- 
program) to the easier problem (deriving the pair-programs). We proceed as follows. 

For sake of argument, let us first assume that all the pair-programs are actually isomorphic to 
each other. Let il j. We denote the pair-program for processes i and j by {S^j, P- \\ Pj), where Sfj is 
the set of initial states, P- is the synchronization skeleton for process i in this pair-program, and 

is the synchronization skeleton for process j. We take {Sfj,P- \\Pj) and generalize it in a natural way 
to an /-program. We show that our generalization preserves a large class of correctness properties. 
Roughly the idea is as follows. Consider first the generalization to three pairwise interconnected 
processes i,j, k, i.e., / = {{i,j), {j, k), (k, i)}'^ ■ With respect to process i, the proper interaction (i.e., 
the interaction required to satisfy the specification) between process i and process j is captured by 
the synchronization commands that label the arcs of P- . Likewise, the proper interaction between 
process i and process k is captured by the arc labels of P^. Therefore, in the three-process program 
consisting of processes i,j,k executing concurrently, (and where process i is interconnected to both 
process j and process k), the proper interaction for process i with processes j and k is captured as 
follows: when process i traverses an arc, the synchronization command which labels that arc in P- 
is executed "simultaneously" with the synchronization command which labels the corresponding 
arc in Pf'. For example, taking as our specification the mutual exclusion problem, if Pi executes 
the mutual exclusion protocol with respect to both Pj and P^, then, when Pj enters its critical 
section, both Pj and P^ must be outside their own critical sections. 

Based on the above reasoning, we determine that the synchronization skeleton for process i 

^Note the abuse of notation: we have omitted the ACTL~ formulae. 
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in the aforementioned three-process program (call it P/ ) has the same basic graph structure as 
Pf and P^, and an arc label in P^ is a "composition" of the labels of the corresponding arcs 
in P^ and P^ . In addition, the initial states 5^-^ of the three-process program are exactly those 
states that "project" onto initial states of all three pair-programs {{S^j, Pi \\ Pj ), {Sfj^, P^ \\ P^), and 

is%,p^\\PD)- 

Generalizing the above to the case of an arbitrary interconnection relation /, we see that the 
skeleton for process i in the /-program (call it Pi) has the same basic graph structure as P/, 
and a transition label in Pj is a "composition" of the labels of the corresponding transitions in 
P^^ , . . . , P/", where {ji, . . . , j'„} = /(*)' i-^-' processes ji, . . . ,jn are all the /-neighbors of process i. 
Likewise the set Sj of initial states of the /-program is exactly those states all of whose "projections" 
onto all the pairs in / give initial states of the corresponding pair-program. 

We now note that the above discussion does not use in any essential way the assumption 
that pair-programs are isomorphic to each other. In fact, the above argument can still be made 
if pair-programs are not isomorphic, provided that they induce the same local structure on all 
common processes. That is, for pair-programs {Sfj,P-\\Pj) and {S^/^, Pf' \\ P^) , we require that 

graph{Pl) = graph{P^), where graph{Pl), graph{P^) result from removing all arc labels from P^ , P^ 
respectively. Also, the initial state sets of all the pair-programs must be so that there is at least one 
/-state that projects onto some initial state of every pair-program (and hence the initial state set 
of the /-program will be nonempty). We assume, in the sequel, that these conditions hold. Also, 
all quoted results from [AE98] have been reverified to hold in our setting, i.e., when the similarity 
assumptions of [AE98] are dropped. 

Before formally defining our synthesis method, we need some technical definitions. 

Since P/ and Pj have the same local structure, they have the same nodes (remember that P/ and 
Pj are synchronization skeletons). A node of P/, Pi is a mapping of AVi to {true, false}. We will 
refer to such nodes as ^-states. A state of the pair-program {S^pP^ \\ Pj) is a tuple (sj, Sj,vjj, . . . , v^) 
where Sj, Sj are i-states, I'-states, respectively, and vj,, . . . , vf^ give the values of all the variables in 
STiij. We refer to states of P- \\ Pj as ij'-states. An ij-state inherits the assignments defined by its 
component i- and j-states: Sij{pi) = Si{pi), Sij{pj) = Sj{pj), where Sij = {si,Sj,vlj, . . . ,v"-), and 
Pi,Pj are arbitrary atomic propositions in AVi, -^Vj, respectively. 

We now turn to /-programs. If interconnection relation / has domain {ii,. . . , ik}, then we de- 
note an /-program by (S'j, P-^ || • ■ ■ || Pij^)- 'S'/ is the set of initial states, and Pj is the synchronization 
skeleton for process i {i G {ii, . . . , ir}) in this /-program. A state of {S^, P^^ || • • • || Pl^^) is a tuple 
(sj^, . . . , Sij^,v^ , . . . , f"), where Sj, {i G {ii, . . . , ik}) is an i-state and v^, . . . ,v'^ give the values of 
all the shared variables of the /-program (we assume some fixed ordering of these variables, so that 
the values assigned to them are uniquely determined by the list f^, ... ,?;"). We refer to states of 
an /-program as /-states. An /-state inherits the assignments defined by its component i-states 
(i G {ii, . . . , Ik})'- Sij{Pi) = Si{pi), where s = (sjj , . . . , Sj^, f ^, . . . , f"), and pi is an arbitrary atomic 
proposition in AVi (i € {ii, . . . , ir})- We shall usually use s, t, u to denote /-states. If J C /, then 
we define a J-program exactly like an /-program, but using interconnection relation J instead of 
/. J-state is similarly defined. 

Let Si be an i-state. We define a state-to-formula operator j.s.,} that takes an i-state Sj as 
an argument and returns a propositional formula that characterizes Sj in that Si \= \si\, and 
s'i ^ {si\ for all z-states s[ such that s'^ ^ sf. = {As,(p,)=truePi) ^ iAsi(p,)=faise^Pi)^ where 
Pi ranges over the members of AVi- {sij} is defined similarly. We define the state projection 
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operator \. This operator has several variants. First of all, we define projection onto a single 
process from both /-states and ij-states: if s = (sjj , . . . , Sj^, f ^, . . . , t;"), then s\i = Sj, and if 
Sij = {si, Sj,vjj, . . . jV"^), then Sij\i = Sj. This gives the i-state corresponding to the /-state s, 
zj-state Sij, respectively. Next we define projection of an /-state onto a pair-program: if s = 
{si^, . . . ,Sij^,v^, . . . ,v'^), then s\ij = {si, Sj,vjj, . . . ,v^), where vlj,...,v^ are those values from 
v^,...,v"' that denote values of variables in STiij. This gives the ij-state corresponding to the 
/-state s, and is well defined only when il j. We also define projection onto the shared variables in 
SHij from both zj-states and /-states: if Sij = (sj, Sj,vjj, . . . , v^), then Sij \SHij = {vjj, . . . , v"j), 
and if s = (sj^, . . . ,Sij^,v^, . . . then stSHij = {vjj, . . . where vjj, . . . are those values 

from . . . that denote values of variables in STCij. Finally, wc define projection of an /-state 
onto a J-program. If s = (sj^, . . . , Sj^, . . . , f"), then s\J = (sj^, . . . , Sjj^,Vj, . . . jV^"), where 
{ji, ... is the domain of J, and Vj, . . . , v'j are those values from f ^, . . . , that denote values of 
variables in U(i j)eJ'^^«i- '^^^^ gives the J-state (defined analogously to an /-state) corresponding 
to the /-state s and is well defined only when J <^1. 

To define projection for paths, we first extend the definition of path (and fullpath) to include 
the index of the process making the transition, e.g., each transition is labeled by an index denoting 

this process. For example, a path in M/ would be represented as — • • • s" ^ s^^^ "^"^ s"+^ • • • , 
where Vm > 1 : {dm & dom{I)). Let tt be an arbitrary path in M/. For any J such that J C. I, 
define a J -block (cf. [CGB86] and [BCG88]) of tt to be a maximal subsequence of tt that starts and 
ends in a state and does not contain a transition by any Pi such that i G dom{J). Thus we can 
consider tt to be a sequence of J-blocks with successive J-blocks linked by a single /'j-transition such 
that i G dom{J) (note that a J-block can consist of a single state). It also follows that s\J = t\J 
for any pair of states s,t in the same J-block. This is because a transition that is not by some Pi 
such that i G dom{ J) cannot affect any atomic proposition in \Ji^dom(j) •^'^ii '^o^ it change the 
value of a variable in {J[i j^^j STiij] and a J-block contains no such Pi transition. Thus, if /? is a 
J-block, we define B\J to be s\J for some state s m. B. We now give the formal definition of path 
projection. We use the same notation (t) as for state projection. Let denote the nth J-block 
of TT. 

Definition 1 (Patli projection) Let tt be ^ ■ ■ ■ B"' ^ /?"+^ • • • where B"^ is a J-block for all 
m > 1. Then the Path Projection Operator \J is given by: tt\J = B^\J% . . . B'^\J % B'^+^U ■ ■ ■ 

Thus there is a one-to-one correspondence between J-blocks of tt and states of tt f J, with the 
nth J-block of vr corresponding to the nth state of tt \J (note that path projection is well defined 
when TT is finite). 

The above discussion leads to the following definition of the synthesis method, which shows how 
an /-process Pi of the /-program {S^^, P/^ II • • • II P/j^ ) is derived from the pair-processes {P- \ j € I{i)} 
of the the pair-programs {(S'?-,P/ ||Pj) | j G /(«)}: 

Definition 2 (Pairwise synthesis) An /-process Pi is derived from the pair-processes P-, for 
all j G as follows: 

Pi contains a move from Si to ti with label <8)j67(i)©^6[i-n]-Si ^ ~^ ^le 

for every j in I{i): P- contains a move from Si to ti with label ©£g[i.„]i?^^ A^^. 
The initial state set Sj of the I -program is derived from the initial state Sfj of the pair-program as 
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follows: 

50 = {5|V(z,i)G7: (sHjeSf^)}. 

Here © and are guarded command "disjunction" and "conjunction," respectively. Roughly, the 
operational semantics oi B^^ — A] ^ © 2 ^ 2 ^^^^ of guards 5^ , 5^ 2 evaluates to 
true, then the corresponding body Al^,Aj2 respectively, can be executed. If neither Bj^ nor B^-2 
evaluates to true, then the command "blocks," i.e., waits until one of S^^,S^2 evaluates to true.^ 
We call an arc whose label has the form ®e^[i:n]Bi £ ~^ -^le ^ pair-move. In compact notation, a 
pair-process has at most one move between any pair of local states. 

The operational semantics of ^ A-'- ^ (S) B^^ 2 ^ that if both of the guards Bj^,Bf2 

evaluate to true, then the bodies Al^,Al2 can be executed in parallel. If at least one of Bj^, BI2 

evaluates to false, then the command "blocks," i.e., waits until both of i3^^,i3^2 evaluate to true. 

We call an arc whose label has the form ®j^i{i)®(.^[i:n]^ie. ~^ ^le I-move. In compact notation, 
an /-process has at most one move between any pair of local states. 

The above definition is, in effect, a syntactic transformation that can be carried out in linear time 
and space (in both {Sfj,P- \\Pj) and I). In particular, we avoid explicitly constructing the global 
state transition diagram of (5°, P^^ || • ■ ■ || which is of size exponential in = \{ii, ... , ik}]- 

Let Mij,Mi be the global state transition diagrams of {S^p P- \\ Pj), {Sj, i^^ || . . . || -Pj^), respec- 
tively. The technical definitions are given below, and follow the operational semantics given in 
Section 2. 

Definition 3 (Pair-structure) Let ilj. The semantics of {Sfj, P- \\Pj) is given by the pair- 
structure Mij = {Sfj, Sij, Rij) where 

1. Sij is a set of ij-states, 

2. Sfj C Sij gives the initial states of {Sfj,P- \\Pj), and 

3. Rij C Sij X {i,j} X Sij is a transition relation giving the transitions of {Sfj,P-\\Pj). A 
transition {sij, h, tij) by P^ is in R^j if and only if all of the following hold: 

(a) he {i,j}, 

(b) Sij and tij are ij-states, and 

(c) there exists a move (sij t/i, ©^£[i-„]-B^^ A^f^,tij\h) in Pj^ such that there exists m G 
[l:n].- 

(i) SijiBh,J=true, 

(a) < Sij\SHij > A^,^ < tijlSHij >, and 
(Hi) Sij \h = tij \h. 

Here h = i if h = j and h = j if h = i. 
''This interpretation was proposed by [Dij82]. 
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In a transition {sij,h,tij), we say that Sij is the start state and that tij is the finish state. The 

transition {sij,h,tij) is called a P^l^-transition. In the sequel, we use Sij—^tij as an alternative 
notation for the transition {sij,h,tij). < s,ij\S7{ij > A < tijlSHij > is Hoare triple notation 
[Hoa69] for total correctness, which in this case means that execution of A always terminates,^ 
and, when the shared variables in SHij have the values assigned by , leaves these variables with 
the values assigned by tij. Sij{B^) = true states that the value of guard in state Sij is true.^ 
We consider that {Sfj,P- \\ Pj) possesses a correctness property expressed by an CTL* formula fij 
if and only if Mjj, 5*°. \= fij. 

The semantics of [S^, P^^ || • • • || Pij^) is given by the global state transition diagram Mj generated 
by its execution. We call the global state transition diagram of an /-system an I-structure. 

Definition 4 (/-structure) The semantics of {S'j, P^^ || • • • || /^^) is given by the /-structure Mj = 
{S'^j,Si,Ri) where 

1. Si is a set of I -states, 

2. S'j C Sj gives the initial states of {S^, || . . . || P/j^), and 

3. Ri C Sj X dom{I) x Sj is a transition relation giving the transitions of (S'j, P^^ II ■ ■ ■ II ^1^)- ^ 
transition (s, i, t) by Pi is in Ri if and only if 

(a) i £ dom[I), 

(h) s and t are I -states, and 

(c) there exists a move (st^, ®je/(i)©£e[i;nl-^i ^ ~^ ^'^1^^) such that all of the following 
hold: 

(i) for all j in I{i), there exists m £ [1 : n\: 

= true and < slSHij > Al^ < t\SHij >, 
(a) for all j in dom(I) — {i}: s\j = t\j, and 
(Hi) for all j,k in dom{I) — {i}, j Ik: s\STi.jh = tlST-tjk- 

In a transition {s,i,t), we say that s is the start state, and t is the finish state. The transition 

(s, i, t) is called a Pj-transition. In the sequel, we use s A t as alternative notation for the transition 

(s, i, t). Also, if / is set to j}} in Definition 4, then the result is, as expected, the pair-structure 
definition (3). In other words, the two definitions are consistent. Furthermore, the semantics of a 
J-system, J C / is given by the J-structure Mj = {Sj, Sj, Rj), which is obtained by using J for / 
in Definition 4. 

As Mj gives the semantics of (Sj, /^^ || . . . || /^^), we consider that (5°, /^^ || . . . || P^^) possesses a 
correctness property expressed by a formula y^^^ f^e if and only if M/, Sj \= y^^^ f^e, i.e., M/, Sj \= 

Mij and Mj can be interpreted as CTL* structures. We call Mij a pair- structure, since it gives 
the semantics of a pair-program, ad M/ an I-structure, since it gives the semantics of an /-program. 
We state our main soundness result below by relating the ACTL formulae that hold in Mj to those 
that hold in Mij. 

^Termination is obvious, since the right-hand side of A is a hst of constants. 

®Sij(_B^) is defined by the usual inductive scheme: Sij{"xij = hij") = true iff Sij{xij) = hij, Sij{Bl'^/\B2\) = true 
iff Sij{Bll) = true and Sij{B2l) = true, Sij{-^Bll) = true iff s»j(Bfh) = false. 
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This characterization of transitions in the /-program as compositions of transitions in all the 
relevant pair-programs is formalized in the transition mapping lemma: 

Lemma 1 (Transition mapping [AE98]) For all I-states s,t G Si and i G dom{I), s-^t & 
Rl iff : 

Vj G : {s\ij^t\ij G Rij) and 

Vj G {h,.. .,iK} - ■ (slj = t\j) and 

yj,k e {h, . . . ,iK} - I k : {slSTCjk = t\SHjk)- 

Proof. This was established in [AE98] as Lemma 6.4.1. The proof there did not assume that the 
Mij are isomorphic. Hence, it carries over to the setting of this paper. □ 

In similar manner, we establish: 

Corollary 2 (Transition mapping [AE98]) Let J ^ I and i G dom{J). If s-^t G Ri, then 
s\J^t\JeRj. 

By applying the transition-mapping corollary to every transition along a path tt in Mj, we show 
that TrfJ is a path in Mj. Again, the proof carries over from [AE98]. 

Lemma 3 (Path mapping [AE98]) Let J C I. If it is a path in Mj, then tt\J is a path in Mj. 

In particular, when J = {(i, j, speCj^)}, Lemma 3 forms the basis for our soundness proof, since 
it relates computations of the synthesized program to computations of the pair-programs. 

Since every reachable state lies at the end of some initialized path, we can use the path-mapping 
corollary to relate reachable states in M/ to their projections in Mj: 

Corollary 4 (State mapping [AE98]) Let J C I. If t is a reachable state in Mj, then t\J is a 
reachable state in Mj. 

5 Soundness of the Method for Static Programs 
5.1 Deadlock- freedom 

As we showed in [AE98], it is possible for the synthesized program P to be deadlock-prone even 
though all the pair-programs are deadlock-free. To ensure deadlock-freedom of P, we imposed a 
condition on the "blocking behavior" of processes: after a process executes a move, it must either 
have another move enabled, or it must not be blocking any other process. In general, any behavioral 
condition which prevents the occurrence of certain patterns of blocking ( "supercycles" ) is sufficient. 

We formalize our notion of blocking behavior by the notion of wait- for- graph. The wait-for- 
graph in a particular /-state s contains as nodes all the processes, and all the moves whose start 
state is a component of s. These moves have an outgoing edge to every process which blocks them. 

Definition 5 (Wait-for-graph Wi{s)) Let s be an arbitrary I-state. The wait-for-graph Wi{s) 
of s is a directed bipartite graph, where 
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1. the nodes ofWi{s) are 

(a) the I -processes {Pi \ i G dom{I)}, and 

(h) the moves {a| | i G dom{I) and G Pj and s\i = af. start} 

2. there is an edge from Pi to every node of the form in Wj{s), and 

3. there is an edge from al to Pj inWi{s) if and only if i I j andal G Wj{s) and s\ij{aj .guardj) = 
false. 

Here a^. guardj is the conjunct of the guard of move aj which is evaluated over the (pairwise) 
shared state with Pj. We characterize a deadlock as the occurrence in the wait-for-graph of a 
graph-theoretic construct that we call a supercycle: 

Definition 6 (Supercycle) SC is a supercycle in Wi{s) if and only if all of the following hold: 

1. SC is nonempty, 

2. if Pi G SC then for all al such that al G Wi{s), Pi — >al G SC , and 

3. if al G SC then there exists Pj such that al — >Pj G Wi{s) and al — >Pj & SC. 

Note that this definition implies that SC is a subgraph of Wi{s). 

Our conditions will be stated over "small" programs, i.e,. programs that result from compositing 
a small number of processes together. To then infer that the large program P has similar behavior, 
we use the following proposition. 

Proposition 5 (Wait-for-graph projection) Let J ^ I and iJj. Furthermore, let sj be an 
arbitrary I-state. Then 

1. Pi^al G Wi{si) iffPi^af G Wj{si\J), and 

2. al^Pj G Wi{si) iffaf^Pj G Wj{si\J). 

Proof. By assumption, i J j and J C I. Hence il j. 

Proof of clause (1). By the wait-for-graph definition (5), Pi — >a[ G Wj{sj) iff sjli = al. start. 
Since i G dom{J), we have {sj\J)\i = si\i by definition of \J. Thus sj\i = al. start iff {sj\J)\i = 
af .start (since al. start = af .start = Sj). Finally, by the wait-for-graph definition (5) and iJj, 
{si\J)\i = af .start iff Pi — >af G Wj{si\J). These three equivalences together yield clause (1) 
(using transitivity of equivalence). 

Proof of clause (2). By the wait-for-graph definition (5), al — >Pj €Wi{sj) iff s\ij ^al. guardj. 
Since iJj, we have {sj\J)\ij = sj\ij by definition of \J. Also, al. guardj = af .guardj = 
\/i^[i-n]^it Thus sjlij ^ al. guardj iff {si\J)\ij ^ af .guardj Finally, by the wait-for-graph 
definition (5) and iJj, {si\J)\ij ^ af .guardj iff af — >Pj G Wj{si\J). These three equivalences 
together yield clause (2), (using transitivity of equivalence, and noting that s y= B and s{B) = false 
have identical meaning). □ 
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5.1.1 The Wait-for-graph Condition 

In [AE98], we give a criterion, the wait-for-graph assumption, which can be evaluated over the 
product of a small number of processes, thereby avoiding state-explosion. We show there that 
if the wait-for-graph assumption holds, then Wi{s) cannot contain a supercycle for any reachable 
state s of Mj. The wait-for-graph condition embodies the requirement that, after a process executes 
a move, it must either have another move enabled, or it must not be blocking any other process. 

Definition 7 (Static wait-for-graph condition) Let be an arbitrary reachable local state of 

in Mke for all £ € I{k), and let n = \tk.moves\. Also let J he an arbitrary interconnection 
relation such that J C I and J has the form {{j,k, specji^), {k,£i, speci^^^), . . . , {k, in, specj^g^)}, 
where k . . . Then, for every reachable J -state tj in Mj such that tj\k = tk and 

sj ^tj E Rj for some reachable J -state sj, we have 

Va/ : {aj^Pk^Wjitj)) 

or 

3ai € Wj{tj) : {W € {h, . . . ,4} : ai^Pe Wj{tj)). 

Theorem 6 (Static supercycle- free wait-for-graph) If the wait-for-graph condition holds, and 
Wi{s^) is supercycle- free for every initial state G Sj, then for every reachable state t of Mi, Wi{t) 
is supercycle-free. 

Proof. Let t be an arbitrary reachable state of M/, and let s be an arbitrary reachable state of 

k 

Mj such that s— >f for some k € dom{I). Wc shall establish that 

if Wi{t) is supercyclic, then Wi{s) is supercyclic. (PI) 
The contrapositive of PI together with the assumption that is supercycle-free for all G 

is sufficient to establish the conclusion of the theorem (by induction on the length of a path from 
some s5 € S^i to t). 

We say that an edge is k-incident iff at least one of its vertices is or a^. The following (P2) 
will be useful in proving PI 

if edge e is not /c-incidcnt, then e G Wi{t) iff e G Wi{s). (P2) 

Proof of P2. If e is not fc-incident, then, by the wait-for-graph definition (5), either e = P^ — >a^, 

or e = — ^P^, for some h, £ such that h ^ k,£ ^ k. From h ^ k,£ ^ k and s ^ t G P/, we have 
s\h = t\h and s\h£ = t\h£ by the wait-for-graph definition (5). Since e G Wj{t),e G Wi{s) are 
determined solely hy t\h£,s\h£ respectively, (see the wait-for-graph definition (5), P2 follows. (End 
proof of P2.) 

Let t; be a vertex in a supercycle SC. Wc define depthsci'^') to be the length of the longest 
backward path in SC which starts in v. If there exists an infinite backward path (i.e., one that 
traverses a cycle) in SC starting in then depthsc{v) = oo {uj for "infinity"). We now establish 
that 

every supercycle SC contains at least one cycle. (P3) 

Proof of P3. Suppose P3 does not hold, and SC is a supercycle containing no cycles. Therefore, 
all backward paths in are finite, and so by definition of depthsc all vertices of SC have finite 
depth. Thus, there is at least one vertex v in SC with maximal depth. But, by definition of depthsc, 
V has no successors in SC, which, by the supercycle definition (6), contradicts the assumption that 
SC is a supercycle. (End proof of P3.) 
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Our final prerequisite for the proof of PI is 

if SC is a supercycle in Wi{s), then the graph SC obtained from SC by 

removing all vertices of finite depth from SC (along with incident edges) is 

also a supercycle in Wi{s). (P4) 

Proof of P4. By P3, SC ^ 0. Thus SC satisfies clause (1) of the supercycle definition (6). 
Let V be an arbitrary vertex of SC . Thus v € SC and depthsciv) = w by definition of SC. Let 
w be an arbitrary successor of v in SC. depthsc{w) = oj by definition of depth. Hence w € SC . 
Furthermore, u) is a successor of v in SC\ by definition of SC . Thus every vertex v of SC is also 
a vertex of SC, and the successors of v in SC are the same as the successors oivm.SC Now since 
SC is a supercycle, every vertex v in SC has enough successors in SC to satisfy clauses (2) and 
(3) of the supercycle definition (6). It follows that every vertex v in SC has enough successors in 
SC to satisfy clauses (2) and (3) of the supercycle definition (6). (End proof of P4.) 

We now present the proof of (PI). We assume the antecedent of PI and establish the consequent. 
Let SC be some supercycle in Wi{t). Let SC be the graph obtained from by removing all 
vertices of finite depth from SC (along with incident edges). We now show that ^ SC and that 
SC contains no move vertex of the form a^. There are two cases. 

Case 1: P^ SC. Then obviously P^ SC . Now suppose some node of the form is in SC . 
By definition of SC , we have a-^ G SC and depthsc{0'i) = i^- Hence, by definition of depth, there 
exists an infinite backward path in SC starting in a^. Thus o( must have a predecessor in SC. By 
the supercycle definition (6), P^ is the only possible predecessor of aj^ in SC, and hence P^ G SC, 
contrary to the case assumption. We therefore conclude that SC contains no vertices of the form 
a|,. (End of case 1.) 

Case 2: P^ G SC. By the supercycle definition (6), 

Vai e Wi{t) : (3£ : (4^P, G Wiit)))- (a) 
Since there are exactly n moves of process Pi in Wi{t) (n = \tf:.moves\), we can select £i, . . . ,in 
(where ii, . . . ,in are not necessarily pairwise distinct) such that 

Vai e Wi{t) : {3e G {4, • • • ,4} : {ai^Pi G Wi{t))). (b) 
Now let J = {{j,k},{k,£i}, . . . ,{k,in}} where j is an arbitrary element of I{k). Applying the 
wait-for-graph projection proposition (5) to (b) gives us 

ya{eWj{t\J) : {3£e{h,...,in} : {a{^P, e Wj{t\J))). (c) 

k k 

Now s—^t G Rj by assumption. Hence s\J^t\J G Rj by the transition-mapping corollary (2). 
Also, by the state-mapping corollary (4) s\J is reachable in Mj, since s is reachable in Mj. Thus 
we can apply the wait-for-graph assumption to t\J to get 
Va/ : {aj^Pk^Wj{t\J)) 

or 

3ai G Wj{t\J) : (V^ G {h, ...,£„}: {a{^Pe ^ Wj{t\J))). (d) 
Now (c) contradicts the second disjunct of (d). Hence 

Va/ : (a^^Pk^Wj{t\J)), 
and applying the wait-for-graph projection proposition (5) to this gives us 

Va/ : (aj^Pfe Wi{t)). 
Since j is an arbitrary element of I{k), we conclude that P^ has no incoming edges in Wj{t). Thus, 
by definition of depth, depthsc{Pk) = Oj and so Pfe ^ ^C. 

Now suppose some node of the form aj, is in SC. By definition of SC, wc have aj, G S'C 
and depthsc{0'i) = i^- Hence, by definition of depth, there exists an infinite backward path in 
SC starting in a^. Thus a^ must have a predecessor in SC. By the supercycle definition (6), 
Pjfc is the only possible predecessor of in SC, and hence there exists an infinite backward path 
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in SC starting in P^. Thus depthsc{Pk) = by definition of depth. But we have estabhshed 
depthsc{Pk) = 0, so we conchide that SC contains no vertices of the form a(,. (End of case 2.) 

In both cases, Pj^ ^ SC , and SC contains no move vertex of the form a^. Thus every edge of 
SC is not /c-incident. Hence, by P2, every edge of SC is an edge of Wi{s) (since SC C Wi{t)). 
By P4, SC is a supercycle, so Wi{s) is supercycUc. Thus PI is established, which estabhshes the 
theorem. □ 



5.1.2 Establishing Deadlock-freedom 

We show that the absence of supercycles in the wait-for-graph of a state imphes that there is at 
least one enabled move in that state. 

Proposition 7 (Supercycle [AE98]) IfWi{s) is supercycle- free, then some move aj has no out- 
going edges in Wi{s). 

Proof. We establish the contrapositive. Since every local state of a process has at least one 
outgoing arc (Section 2), there exists at least one move of the form for every i G dom{I) in 
Wi{s). Suppose that every such move has at least one outgoing edge in Wi{s). Consider the 
subgraph SC of Wj{s) consisting of these edges together with all edges of the form Pi — >al in 
Wj{s). By the wait-for-graph definition (5), and the supercycle definition (6), it is clear that SC 
is a supercycle in Wi{s). Thus Wi{s) is not supercycle-free. □ 

Proposition 8 (Move enablement) Let s be an arbitrary I -state such that s\i = af .start. If af 

has no outgoing edges in Wj{s), then af can be executed in state s. 

Proof. If aj has no outgoing edges in Wj{s), then by the wait-for-graph definition (5), s \ij{al .guardj) = 
true for all j G I{i). Hence, by the /-structure definition (4), of can be executed in state s. □ 

Theorem 9 (Deadlock freedom [AE98]) If, for every reachable state s of Mi, Wi{s) is supercycle- 
free, then Mi,S^j ^ AG EX trite. 

Proof. Let s be an arbitrary reachable state of M/. By the antecedent, Wi{s) is supercycle- 
free. Hence, by the supercycle proposition (7), some move a[ has no outgoing edges in 1^7(5). By 
Proposition 8, of can be executed in state s. Since s is an arbitrary reachable state of Mj, we 
conclude that every reachable state of M/ has at least one enabled move af , (where, in general, af 
depends on s). Hence |= AGEXtrue. □ 

5.2 Liveness 

To assure liveness properties of the synthesized programs, we need to assume a form of weak 
fairness. Let CL{f) be the set of all subformulae of /, including / itself. Let exj be an assertion 
that is true along a transition in a structure iff that transition results from executing process i. We 
give our fairness criterion as a formula of the linear time temporal logic PTL [MW84]. 

Definition 8 (Sometimes-blocking, blkl,blki) Ani-state si is sometimes-blocking in Mjj if and 
only if: 

3s% G 50. : {Mij,s% [= EF( {si} A {3a) G Pj : {{a).start} A -^a].guard)) )). 
Also, blki = (V • *i ^•^ sometimes-blocking in Mij), and blki = Vje/(i) blkj. 
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Note that a^^. start is the start state of the two-process move a*-, and aj. guard is its guard. 

^£ oo oo 

Definition 9 (Weak blocking fairness ^b) = f\i&dom{i) G{blki A erii) ^ Fexi. 

Definition 10 (Pending eventuality, pndj An ij-state Sij has a pending eventuahty if and 
only if: 

3fij £ CL{speCij) : {Mij,Sij \= ^/ij A AF/jj). 
Also, pnd^j = (V {sij} : Sij has a pending eventuality) . 

In other words, Sij has a pending eventuality if there is a subformula of the pair-specification spec^j 
which does not hold in Sjj, but is guaranteed to eventually hold along every fullpath of Mjj that 
starts in Sij. 

Definition 11 (Weak eventuafity fairness, 

j£ OO OO OO oo 

= j^gj(Genj V Gerij) A Gpud^j =^ F(exi V exj). 

Our overall fairness notion $ is then the conjunction of weak blocking and weak eventuality 
fairness: ^> = A 

Definition 12 (Liveness condition for static programs) For every reachable state sij inMij, 

oo 

Mij,Sij \= A{Gexi => Gaenj), 

where aenj = yaj G : {{oj. start} =^ a^j. guard)). 

aenj means that every move of Pj whose start state is a component of the current global state 
is also enabled in the current global state. The liveness condition requires, in every pair-program 
{Sfj, P- II Pj), that if P- can execute continuously along some path, then there exists a suffix of that 

path along which P- does not block any move of Pj. 

Lemma 10 (Progress for static programs) // 

1. the liveness condition holds, and 

2. for every reachable I -state u, Wi{u) is supercycle-free, and 

3. Mij, s\ij \= -'hij A AFhij for some hij G CL{spec^j) , then 

-^7) s AF(exj V exj) 

Proof. By assumption 2 and Theorem 9, Mj,Sj \= AGEXtrue. Hence every fullpath in Mj is 
infinite. Let tt be an arbitrary $-fair fullpath starting in s. If Mr,7r |= f{exi V exj), then we are 
done. Hence we assume 

TT 1= G{^exi A -lexj) (*) 

df °° df °° 

in the remainder of the proof. Now define ipinf = {/c | tt ^ Fexfc} and i/^jin = {/s | vr |= G-iexfe}. 
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Let p he a suffix of tt such that no process in ipfin executes along p, and let t be the first state 

of p. Note that, by (*), i G ^pfin, j e ^fin- 

Let W be the portion of Wi{t) induced by starting in Pi,Pj and following wait-for edges that 
enter processes in V'/in or their moves. By assumption 2, W is supercycle-free. Hence, there exists 
a process Pk in W such that has some move with no wait-for edges to any process in W, by 
Proposition 7. Hence, in state t\k£, a^j^ is enabled in all pair-machines M^i such that £ € ipfin, i-e-j 
t\k£ 1= |a^. start]}- A en{a^^). Also, A; G V-'/in! by definition of W . Since t is the first state of p and no 
process in executes along p, we have from above, that /\t ^ ipfin H I{k) : p\ki \= Gen(a^). 

oo 

Now consider a pair-machine M^e such that i € ^/^mj (if any). Hence p \= fexg A G-ie.Xfc, 
since /c E V'/in- Hence p\k£ \= Gexg A G-iex^. By Lemma 3, pffc^ is a path in M,fc^. Since p is 

oo 

an infinite path and p \= fex£, p\kl is an infinite path. Hence p\kl is a fullpath in M^^. By 

oo 

the liveness condition for static programs (Definition 12), p\k£ \= Gaerik- Now t\ke \= {ai-startj. 
Since p\k£ \= G^exk, PkS local state does not change along p\k£. Hence p\k£ \= Gla^.. start}. 

DC 

Hence, by definition of aen^, p\k£ |= Gen(a|). Since £ is an arbitrary element of V'm/ H I{k), we 

oo 

have /\£ ^ ipinf n I{k) : p\k£ \= Gen(a^). Since (V^m/ fl I{k)) U {ipfin H I{k)) = I{k), we conclude 

oo oo 

/\^ € I{k) : ptfcf ^ Gen(a^). By Definitions 1 and 2, we have p |= Gen{aj^). Hence, we conclude 

oo 

p \= Genfc. (a) 

Assume k Then, by definition of W, in state t P^ blocks some move of some process 

Pg, i.e., t \= {a^. start} A ^a^. guard. By Definition 8, t\k is sometimes-blocking in M^i (since t 
is reachable, so is t\k, by [AE98, Corollary 6.4.5]). Hence t\k ^ and so t \= hlk^. Now 

p 1= G-iexfe. Since t is the first state of p, this means that t]~A: = u\k for any state u of p, i.e., the 
local state of does not change along p. Thus, p |= Gblkl., since t \= hlk^.. Thus p ]= Gblk^, by 

oo 

definition of blkk. From this and (a), we have p \= G{hlkk Aeuk). Hence, by weak blocking fairness, 

oo 

(Definition 9), p \= fexk, which contradicts p \= G-^exk- Hence the assumption k does not 
hold, and so G {hi}- 

Since tt \= G{-^exi A ^exj), by assumption (*), and s = first{n), we have u\ij = s\ij for every 
state u along tt. Now Mij,s\ij \= -ihij A AFhij for some hij G CL{speCj^j) by assumption 3. Hence 

My, M]~fj \= ^hij AAFhij for all n along vr. Hence Afy , M]~ij \= pnd^j for all n along vr by Definition 10. 
Hence, Mj, u \= prid^j for all u along vr, since prid^j is purely propositional, and so M/, vr ^ Gpnd^j. 

oo oo 

Since p is a suffix of vr and /c G we conclude from (a) that vr ]= Gen^ V Genj. Hence 

oo oo oo oo 

M/,7r \= (Geui V Genj) A Gpnd^j. By weak eventuality fairness (Definition 11), vr ^ F(exj V exj). 
This contradicts the assumption (*), which is therefore false. Hence vr \= F{exi V exj). Since tt is 
an arbitrary $-fair fullpath starting in s, the lemma follows. □ 

5.3 The Lcirge Model Theorem for Static Programs 

Theorem 11 (Large model) Let spec^j) € I, where spec^j € ACTL^.^ and let s be an arbi- 
trary reachable I-state. If 

1. the liveness condition for static programs holds, 
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2. Wi(u) is supercycle-free for every reachable I -state u, and 

3. Mij,s\ij \= fij for some fij e CL{speCij), 

then 

Mi,s\=^ fij. 

Proof. The proof is by induction on the structure of fij. Throughout, let Sij = s\ij. 

fij = Pi, or fij = -^pi, where pi G AVi, i.e., pi is an atomic proposition. 
By definition of Hj, s and s\ij agree on all atomic propositions in APi UAPj. The result follows. 

fij = Sij /\ hij. The antecedent is Mij,Sij |= gij A hij. So, by CTL* semantics, Mij,Sij \= gij 
and Mij,Sij \= hij. Since fij e CL{spec^j), we have gij G CL{specij) and hij € CL^spec^j). Hence, 
applying the induction hypothesis, we get Mj, s gij and Mj, s hij. So by CTL* semantics 
we get Mi,s^^ {gij A hij). 

fij = dij V hij. The antecedent is AIij,Sij \= gij V hij. So, by CTL* semantics, Mij,Sij |= gij 
or Mij,Sij \= hij. Since fij £ CL{speCij), we have gij € CL{spec.ij) and hij G CL{specij). Hence, 
applying the induction hypothesis, we get Mi,s |=^ gij or M/,s t=^ hij. So by CTL* semantics 
we get M/, s {gij V /ijj). 

/ij = A[(7jjUw^ij]. Let TT be an arbitrary $-fair fullpath starting in s. We establish vr |= 
[gij^vjhij]. By Definition 1, vr^j starts in s\ij = Sij. Hence, by CTL semantics, yrfij \= [ffjjUw/iij] 
(note that this holds even if vrtij is not a fullpath, i.e., is a finite path). We have two cases. 

Case 1: Trtij |= Ggij. Let t be an arbitrary state along vr. By Definition 1, t\ij lies along vrtij. 
Hence tfzj |= gij. By the induction hypothesis, t \= gij. Hence tt |= Qgij, since t was arbitrarily 
chosen. Hence tt |= [gij^vjhij] by CTL*semantics. 

Case 2: vrfij |= [^ijU^jj]. Let s^' be the first state along vrtij that satisfies hij"^ . By Definition 1, 
there exists at least one state t along vr such that t\ij = s^' . Let s""' be the first such state. By 
the induction hypothesis, s"^' \= hij. Let s'^ be any state along vr up to but not including s'^' 
(i.e., < n < n'). Then, by Definition 1, s'^\ij lies along the portion of vrfij up to, and possibly 
including, . That is, s^\ij = s^, where < m < m'. Now suppose s"'\ij = sj- (i.e., m = m'). 
Then, by s^' \= hij and the induction hypothesis, s" |= hij, contradicting the fact that s"' is the 
first state along vr that satisfies hij. Hence, m ^ m', and so < m < m' . Since s^' is the first 
state along that satisfies hij, and TT\ij \= [gij\Jhij], we have |= gij by CTL* semantics. Prom 
s^\ij = and the induction hypothesis, we get s" \= gij. Since s" is any state along vr up to but 
not including s"^', and s"' |= /ijj, we have tt ^ [^jjU/iij] by CTL* semantics. Hence tt |= [gij^whij] 
by CTL* semantics. 

In both cases, we showed vr |= [gijdwhij]. Since tt is an arbitrary $-fair fullpath starting in s, 
we conclude M/,s A[gij\J^hij]. 

fij = A[gij\Jhij]. Since fij G CL{spec^j), wehave gij G CL{spec^j) and hij € CL{spec^j). Suppose 
Sij \= hij. Hence s \= hij by the induction hypothesis, and so s |= A[gij\Jhij] and we are done. 

^We use s"j to denote the n'th state along nlij, i.e., nlij = sij, s\j, . . ., and we let Sij = s°j. 
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Hence we assume Sij \= ^hij in the remainder of the proof. Since [= A[gij[Jhij] by assumption, 
we have Sij \= ^hij A Afhij. Let vr be an arbitrary $-fair fuUpath starting in s. By Theorem 9, tt 
is an infinite path. We now establish vr fhij. 

Proof of IT Fhij. Assume tt ^fhij, i.e., vr G-i/ijj. Let t be an arbitrary state 
along TT. Let p be the segment of tt from s to t. By Definition 1, p\ij is a path from Sij to t\ij. 
By Lemma 3, p\ij is a path in Mij. Suppose p\ij contains a state Uij such that Uij \= hij. By 
Definition 1, there exists a state u along p such that u\ij = uij. By the induction hypothesis, 
we have u hij, contradicting the assumption tt G-i/ijj. Hence p\ij contains no state that 
satisfies hij. Since Sij \= Afhij and p\ij is a path from Sij to t\ij (inclusive) which contains no 
state satisfying hij, we must have t\ij \= -ihij A AFhij by CTL semantics. Let tt' be the suffix 
of TT starting in t. Since t\ij \= ^hij A Af hij and hij € CL{speCij), wc can apply the Progress 
Lemma to conclude Mi,t Af{exi V exj). Since t is an arbitrary state along tt, we conclude 

oo 

Mj,TT \= f{exi V exj). Hence, by Definition 1, vrfij is a fullpath. By Lemma 3, TT\ij is a fullpath 
in Mij. Since ttIzJ starts in Sij = sHj, and Sij \= Afhij, ^rfij must contain a state Vij such that 
Vij \= hij. By Definition 1, tt contains a state v such that wtij = By the induction hypothesis 
and Vij 1= /ly, we have v hij. Hence tt fhij, contrary to assumption, and we are done. 
(End of proof of tt fhij). 

By assumption, Sij \= A[gij[Jhij]. Hence Sij |= A[gij\Jvjhij]. Prom the above proof case for 
^[dij^whij], we have s A[gij\J^hij]. Hence tt [ftjUw^jj], since vr is a <I>-fair fullpath starting 
in s. From this and tt fhij, we have tt [dij^hij] by CTL*semantics. Since tt is an arbitrary 
$-fair fullpath starting in s, we have s A[gij[ihij]. □ 

Corollary 12 (Large model) // the liveness condition for static programs holds, and Wi{u) is 

supercycle-free for every reachable I -state u, then 

(\/(i,j) G I : Mij,Sfj \= specij) implies Mi,S^ |=$ ^VeCij. 

Unlike [AE98], specij and speCf^^, where {k,i} ^ {i,j}, can be completely different formulae, 
whereas in [AE98] these formulae had to be "similar," i.e., one was obtained from the other by 
substituting process indices. 

6 Example — A Two Phase Commit Protocol 

We illustrate our method by synthesizing a ring-based (non fault tolerant) two-phase commit pro- 
tocol P^ = Pq II ^1 II • ■ ■ II Pn-i, where / specifics a ring. Pq is the coordinator, and Pi,l < i < n arc 
the participants: each participant represents a transaction. The protocol proceeds in two cycles 
around the ring. The coordinator initiates the first cycle, in which each participant decides to 
either submit its transaction or unilaterally abort. Pi can submit only after it observes that has 
submitted. After the first cycle, the coordinator observes the state of Pn-i- If Pn-i has submitted 
its transaction, that means that all participants have submitted their transactions, and so the co- 
ordinator decides commit. If Pn-i has aborted, that means that some participant Pi unilaterally 
aborted thereby causing all participants Pj,i < j < n — 1 to abort. In that case, the coordinator 
decides abort. The second cycle then relays the coordinators decision around the ring. The partic- 
ipant processes are all similar to each other, but the coordinator is not similar to the participants. 
Hence, there are three pair-programs to consider: pO_i || P^'-\ Pj || P^, and Ff_-^ \\ P^'^. These 

are given in Figures 1, 2, and 3, respectively, where terrui ==cmi V abi, and an incoming arrow 
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with no source indicates an initial local state. Figures 5, 6, and 7 give the respective global state 
transition diagrams (i.e., pair-structures). The synthesized two phase commit protocol is given 
in Figure 4. We establish the correctness of as follows: 



1. 


CTn,ri — > sh^ 1 


LMT 


2. 


Ar,^ -^ fs6i — > sb-; 


LMT 


3. 


cmn — > A 1 ^ • ^ s6i 


1, 2 


4. 


Al<i<n(c"li ^ cm-l) 


LMT 


5. 


Ao<i<n(c"^i ^ (Al<i<„S&j)) 


3,4 


6. 


Al<i<n((c'^j-1 ^ Cmi) 


LMT 


7. 


Ao<i<n^^(~"^'^« V -ia6j) A AG(cmi ^ AGcrrii) 


LMT 


8. 


Ai<i<n AG[s6i ^ A[s6iU(sfei A (cmi_i V a6i_i))]] 


LMT 


9. 


Ai<i<n(^'^i A[s5i+iU(s5i+i A cmj)]) 


5, 7, 8 


10. 


Al<i<n((c'^i-l ^ ^^i) s6i+i)) 


6, 9 


11. 


cmo ^ Al<j<n 


3, 10 



Here the formula f ^ g abbreviates A[(/ =^ AFg)\J^g], which intuitively means that if / 
holds at some point, then g holds at some (possibly different) point. There is no ordering on 
the times at which / and g hold, f g abbreviates AG[/ =^ AF^i]. The above formula hold 
in all initial states of M/, the global state transition diagram of P^ . The notation LMT means 
that the formula was established first in the relevant pair structure, and then we used the large 
model theorem to deduce that the formula also hols in . A notation of some formula numbers 
means that the formula was deduced using the preceding formulae, and using an appropriate CTL 
deductive system [Eme90]. Formula 11 gives us a correctness property of two phase commit: if the 
coordinator commits, then so does every participant. Using the large model theorem, we deduce 
Ai<i<n(^^«-i ~^ o&j)) from which aho Ai<i<n '^^i follows, namely if the coordinator aborts, then 
so does every participant. Likewise, we establish AF(cmoVa6o) (the coordinator eventually decides), 
and AG(sti EXjatj) (every participant can abort unilaterally). This last formula is not 

in ACTL~ , but it was shown to be preserved in [AE98], and we have extended the proof there to 
the setting of this paper. 
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7 Synthesis of Dynamic Concurrent Programs 



7.1 Dynamic Specifications 

A dynamic specification consists of: 

1. A "universal" set UI of pair- specifications. A pair-specification has the form {{i,j},speCij}, 
where i,j G Pids, i ^ j, and spec^j G ACTL^- specifies the interaction of processes i and j. UI 
can be infinite. 

2. A finite set Tq C UI, which gives the pair-specifications which are in force, that is, must be 

satisfied, initially. 

3. A mapping create : 2^-^ i-^ 2^-^ which determines which new pair-specifications (in UX) can 
be added to those that are in-force. If T is the set of pair-specifications that are in-force and 
{{^jijj ^PSCjj) € createiX), then XU specjj)} is a possible next value for the set of 
pair-specifications in-force. 

We show in the sequel that the synthesized dynamic program satisfies the dynamic specification in 
that every pair-specification is satisfied from the time it comes into force. We make these notions 
precise below. 

7.2 Overview of the Synthesis Method: Dynamic Addition of Pcdr-programs 

Our synthesis method produces a dynamic concurrent program V. V consists of the conjunctive 
overlay of a dynamically increasing set of pair-programs. A pair-program is a static concurrent 
program consisting of exactly two processes. {S^pPf ||Pj) denotes a pair-program with processes 
i and j, and initial state set S"?-. We use for the synchronization skeleton of process i within 
this pair-program, with the superscript j indicating the other process. STiij denotes the shared 
variables in {S^j,P- \\Pj)- The shared variable sets of different pair-programs are disjoint: STiij fl 
SHiiji = if {i,j} / The component processes of a pair-program (e.g., P/) are called 

pair-processes. Define graph{P^ to be the synchronization skeleton of P^ with all the arc labels 
removed. 

Definition 13 (Conjunctive overlay, P/ ® P^) Let P/ and P^ he pair-processes for i such that 
graph{P-) = graph{P^). Then, 

P/ (8> Pi contains an arc from Si to ti with label {®ee[i-n ]^i e ~^ ^ie) i®eeli-nk]^ie ~^ ^u) 

Pf contains an arc from Si to ti with label (Se^[i:nj]Bj ^ ^ A'-^ and 
P^ contains an arc from Si to ti with label ©^gfi^^^jPf^ ^. 

Note that the operator is overloaded, and applies to both pair-processes and to guarded com- 
mands. When applied to guarded commands, (g) denotes the "conjunction" of guarded commands, 
so an arc with label {®e&[i:nj]Bi t ^ ^ie) ® i®^&[i-nk\-^i i ~^ ^ie) can only be executed in a state 
in which Bj^ holds for some £ G [nj] and Bf^ holds for some k G [nj]. Execution then involves the 

parallel execution of the corresponding Aj^ and A^^. See [AE98] for a full discussion of © and (8). 
Conjunctive overlay viewed as a binary operation on both guarded commands and pair-processes 
is commutative and associative, since the operands of (8> are treated identically. Thus, we define 
and use the n-ary version of in the usual manner. 
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Given a dynamic concurrent program V, a new pair-program {Sfj,P- \\Pj) can be dynamically 
added at run-time as follows. If V already contains Pi, then Pi is modified by taking the conjunctive 
overlay with P-, i.e., Pi := Pi P- ■ If V does not contain Pi, then Pj is dynamically created and 
added as a new process, and is given the synchronization skeleton of P-, i.e.. Pi := P-. Likewise 
for Pj. We say that {Sfj,P^ ||Pj) is active once it has been added. The "synchronization skeleton 
code" of the dynamic program thus changes at run time, as pair-programs are added. Since each 
Pi built up by successive conjunctive overlays of pair-processes, the n-ary version of the (g) operator 
can always be applied, provided that graph{Pi) = graph(P^). To assure this, we assume, in the 
sequel. 

For active pair-programs {Sfj,P- \\Pj) and {Sij^,P^ \\Pl): graph{P-) = graph{P^). 

We emphasize that different pair-programs can have different functionality, since the guarded com- 
mands which label the arcs of P- and Pf^ can be different. 

Pair-programs are added only when a new pair-specification comes into force, and is the means 
of satisfying the new pair-specification. Thus, the transitions of V are of two kinds: (1) normal 
transitions, which are atomic transitions (as described in Section 2) arising from execution of 
the conjunctive overlay of all active pair-programs, and (2) create transitions, which correspond to 
making a new pair-specification {{i, j}, specij ) in-forcc, according to the create mapping. To satisfy 
{{i, j}, specij), we dynamically create a new pair-program {Sij,P- \\Pj) such that {S^pP^ \\Pj) |= 
speCi j, and incorporate it into the existing dynamic program by performing a conjunctive overlay 
with the currently active pair-programs. 

7.3 Technical Definitions 

If X C UI, then define pairs{I) = {{i,j} \ 3speCij : {{i, j}, speCij) € I}, and procs{Z) = {i \ 3j : 
€ pairsiT)}, and = {j \ G pairs{I)^. Processes i and j are neighbors when 

G pairs{T). If J 7^ 0, then X{i) ^ for all i G procs{I), by definition. Thus, every process 

always has at least one neighbor. 

An i-state is a local state of P/. An ij'-statc is a global state of {Sfj, P/ || Pj), i.e., (by Section 2) 
a tuple (sj, Sj,vlj, . . . , v"j) where Si, sj are i-states, j-states, respectively, and vjj, . . . give the 
values of all the variables in SHij. When i and j are unspecified, we refer to an ij -state as a 
pair-state. 

A configuration is a tuple {T, A, S), where T C UI, A is a set of pair-programs ("S*^-, P^ \ \ Pj \ one 
for each G pairs{2), and 5 is a mapping from each {i,j} G pairs{2) to an ij-state. We refer to 

the components of s as s.I, s.A, s.S. We write procs{s) for procs{s.I), and pairs(s) for pairs{s.I). 
A consistent configuration satisfies the constraint that all pair-states assign the same local state 
to all common processes, i.e., for all {i,j},{i,k} G pairs{s), if S{{i,j]) = {si, Sj,vjj, . . . ,Vij) 
and S{{i,k}) = {s'-, Sk,vlf^, . . . ,v^), then Si = s[. We assume henceforth that configurations are 
consistent, and our definitions will respect this constraint. 

For configuration s, i G procs{s), and atomic proposition G AVi, we define s{pi) = S{{i, j}){pi), 
where {i,j} G pairs{s). By the above definitions and constraints, a j such that {i,j} G pairs{s) 
always exists when i G procs{s), and the value for s(j)i) so defined is unique. 

The state-to-formula operator {si} converts an i-state Sj into a prepositional formula: \si} = 
{Asi{pi)=truePi) ^ iAsi(pi)=false^Pi)^ ^here pi ranges over the members of AVi. {si} characterizes 
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Si in that s-i \= {s.j\^ and s'^ ^ \si\ for all s'^ ^ Si. {sij} is defined similarly (but note that the 
variables in SHij must be accounted for). 

We define the state projection operator \, which is an overloaded binary infix operator with 
several variants, depending on the type of the operands. For projection of ij'-states onto a single 
process: if Sjj = {si, Sj,vjj, . . . ,v^), then Sij\i = Sj. For projection of ij-states onto the shared 
variables in STiij: if Sij = {si, Sj, vjj, v^), then Sij iSTiij = {vj^, ... , u™). For projection of a 
configuration s = {I,A,S) onto a single process: if i G procs{s), then s\i = S{{i, where 
{i,j} € pairs{s). This is unique because configurations are consistent. For projection of s onto a 
pair-program: if {i,j} G pairs{s), then s\ij = S{{i,j}). If {i,j} pairs{s), then s\ij is undefined. 
If J is a set of pairs such that J C pairs{s), then we define the projection of s onto J: s\J is the 
restriction of s.S to J. 

7.4 The Synthesis Method 

Given a dynamic specification, we synthesize a program V as follows: 

1. Initially, V consists of the conjunctive overlay of the pair-programs corresponding to the pair- 
specifications in Xq. 

2. When a pair-specification {{i,j}, spec^j) is added, as permitted by the create mapping, synthe- 
size a pair-program {Sfj,P- \\Pj) using spec^j as the specification, and add it to V as discussed 
in Section 7.2 above. 

To synthesize pair-programs, any synthesis method which produces static concurrent programs in 
the synchronization skeleton notation can be used, e.g., [AAE98, AEOl, EC82]. 

Since the create transitions affect the actual code of V, we define them first. The create 
transitions are determined by the intended meaning of the create rule, together with the constraint 
that creating a new pair-program does not change the current state of existing pair-programs. 

Definition 14 (Create transitions) Let s, t be configurations. Then {s, create, t) is a create 
transition iff there exists ^ pairs{s) such that 

1. ({i, j}, specjj) G create{s), i.e., the rule for adding new pair- specifications allows the pair- 
specification {{i, j}, spec^j) to be added in global-state s. 

2. t.I = S.I U {{i, j}, spec, j^j) , and 

t.A = s.A U {(5° , if II P;)}, where (5°., P/ || Pj) \= spec^j. 

3. t\ij is a reachable state of {S^^Pf ||Pj), and ifi G procs{s) then t\i = s\i, and if j G procs{s) 
then t\j = s \j 

4. for all {k,e} G pairs{s) : s.S{{kJ}) = t.S{{k,e}) 

Instead of a process index, we use a constant label create to indicate a create transition. 
Our synthesis method is given by the following. 

Definition 15 (Pairwise synthesis) In configuration s, the synthesized program V is \\i^procs(s) 
Pi, where Pi = (^j^s,x{i)Pl ■ 
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The set of initial configurations Sq ofV consists of all s such that (1) s.X = Tq, (2) s.A contains 
exactly one pair-program {Sfj,P^ \\Pj) for each {{i,j},specij} G Iq, (3) {S^pP- \\Pj) \= spec^, and 
(4) s.S{{i,j}) G Sfj for all {i,j} € pairs{s). 

Another way to characterize process Pj of V is that (si, <8)jgs.i(i)©^e[i:nj]-B^£ -^It'^i) 
in Pi iff Vj G s.T{i) : (si, 0£g[i:„^.]P^£ Ajg,ti) is an arc in P/. Definition 15 gives the initial 
configurations of V, and the code of "P as a function of the s.I and s.A components of the 
current configuration s. The code of V does not depend on the the s.S component of ,s, which gives 
the values of the atomic propositions and shared variables, i.e., the state. Definition 14 shows how 
s.I and s.A are changed by create transitions. We assume that the Sfj are such that Sq 7^ 0, i.e., 
there exist consistent configurations that project onto a state in each Sfj. 

Since a configuration of V determines both the state and the code of all processes, the normal 
transitions that can be executed in a configuration arc determined intrinsically by that configura- 
tion. Definition 15, and the semantics of synchronization skeletons, as follows. 

Definition 16 (Normal transitions) Let s,t be configurations and i G procs{s). Then {s,i,t) is 
a normal transition iff 

1. there exist local states s\i, t\i of Pi such that, for all {i,j} G pairs{s), there exists an arc 
{s\i,®i^]^rij]Bl^(, ^i/^'t\'i) in Pi such that 

3m G [uj] : s\ij{Bf^) = true and 

< {s\ij)\snij > a{^ < {t\ij)\snij > 

2. for all j in procs{s) — {i}: s\j = t\j, and 

3. for all {j,k} in pairs{s), i ^ {j,k}: s\jk = t\jk. 

4. s.I = t.I and s.A = t.A 

Thus, Pi can execute a transition from global state s to global state t only if, for every G 
pairs{s), P/ can execute a transition from s \ij to t\ij. Also, Pj reads the local state of its neighbors, 
and reads/writes variables that are shared pairwise, i.e., between Pj and exactly one neighbor. Thus 
V enjoys a spatial locality property, which is useful when implementing V in atomic read/write 
memory. 

< {s\ij)\SHij > A < {t\ij)\SHij > is Hoare triple notation [Hoa69] for total correctness, 
which in this case means that execution of A always terminates,^ and, when the shared variables 
in SHij have the values assigned by s\ij, leaves these variables with the values assigned by t\ij. 
s\ij{Bj^) = true states that the value of guard Bj^ in state Sij is true. 

The semantics of the synthesized program V is given by its global state transition diagram 
(GSTD), which is obtained by starting with the initial configurations, and taking the closure under 
all the normal and create transitions. 

Definition 17 (Global-state transition diagram of V) The semantics of V is given by the 
structure M-p = {Sq, S, Rn, Re) where 

^Termination is obvious, since the right-hand side of j4 is a hst of constants. 
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1. So is the set of initial configurations of V , and consists of all the configurations sq such 
that so = {Io,A,S), A = {(5°.,P/||Pj) I {i,j} G pairs{Io)}, and S{{i,j}) G S^j, i.e., the 
pair- specifications in Iq are initially active, and all pair-programs are in one of their start 
states. 

2. S is the set of all configurations such that (1) Sq C. S and (2) if s € S and there is a normal 
or create transition from s to t, then t E S. 

3. Rn C S* X Pids X S is a transition relation consisting of the normal transitions of V, as given 
by Definition 16. 

4- Rc S X create x S is a transition relation consisting of the create transitions ofV, as given 
by Definition 14- 

It is clear that Rc and i?„ are disjoint. 

The creation of a pair-program is modeled in the above definition as a single transition. At a 
lower level of abstraction, this creation is realized by a protocol which synchronizes the "activation" 
of {Sfj,P- \\Pj) with the current computation of Pj and Pj, if they are already present. We give 
details in the full paper. 

Let Mij = {Sfj,Sij,Rij,Vij) be the GSTD of {Sfj,P^\\P^) as defined in Section 3. Mij gives 
the semantics of {Sfj,P^ W-^j) executing in isolation. 

7.5 The Creation Protocol 

When a new pair-program {S'^j,P- \\ Pj) is to be added, it must be synchronized with Pj and Pj, if 
these are already present, so that the (pair-consistency) requirement is not violated. 

CREATE((4,if IIP])) 

1. if Pi is alive, then send Pj a request to halt execution; 

2. if Pj is alive, then send Pj a request to halt execution; 

3. Wait for the necessary acknowledgments from Pj, Pj; 

4. Select a reachable state Sij of such that Sij \i = Sj if Pj is alive, and Sij \j = Sj if Pj is alive. 
(We require that the creation rule imposes sufficient constraints on pair-program creation so 
that this is guaranteed to hold). 

5. Set the current state of (S*-^-, P/ || Pj) to Sij 

6. Send Pj, Pj permission to resume execution 



8 Soundness of the Method for Dynamic Programs 

Let vr be a computation path of V. Let J C Pids x Pids be such that J C pairs{s.I) for all s along 
V. Then, the path-projection of tt onto J, denoted tt \J, is obtained as follows. Start with the first 
configuration s along vr such that pairs{s) n J ^ 0. (If no such configuration exists, then vrfj is 
the empty sequence.) Replace every configuration t that occurs after s along vr by t\J, and then 
remove all transitions t^t' along vr such that Pj is not a process in some pair in J, coalescing the 
source and target states of all such transitions, which must be the same, since they do not refer to 
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Pi. Define Mj to be the M-p for the case when Iq = J, and no create transitions occur, i.e., the 

set of active pairs is always J. 

Let Mij = {Sfj,Sij,Rij) be the global state transition diagram of {Sfj,P-\\Pj), as given by 
Definition 3. Sfj, Sij are the set of initial states, set of all states, respectively, of Mij. Rij C 
Sij X i} X Sij is the sets of transitions of Mij . Mij and M-p can be interpreted as ACTL structures. 
Mij gives the semantics of {Sfj,P- \\Pj) executing in isolation, and M-p gives the semantics of V. 
Our main soundness result below (the large model theorem) relates the ACTL formulae that hold 
in Mp to those that hold in Mij . We characterize transitions in M-p as compositions of transitions 
in all the relevant Mij-. 

Lemma 13 (Transition mapping) For all configurations s,t e S and i G procs{s): 
s^teRniS 

Vj G s.2{i) : s\ij ^t\ij G Rij and 

V{j, fc} € pairs{s),i {j,k} : s\jk = t\jk. 

Proof. In configuration s, the constraints on a transition by Pi arc given by exactly the pair- 
programs of which Pi is a member, i.e., those {i,j) G pairs{s). If all such pairs permit a transition 

(Vj G s.X{i) : s\ij ^t\ij G Rij), and if all pair-programs in which Pi is not a member do not 
execute a transition (V{j, A;} G pairs{s),i {j,k} : s\jk = t\jk), then Pi can indeed execute the 
transition s A t, according to the semantics of Mp. The other direction follows by similar reasoning. 
The technical formulation of this argument follows exactly the same lines as the proof of Lemma 
6.4.1 in [AE98]. □ 

Corollary 14 (Transition mapping) For all configurations s,t G S, J C. pairs(s), and i G 
procs{J), if s—>t G Rn, then s\J ^t\J G Rj. 

Lemma 15 (Path mapping) If it is a path in M, and let J C Pidsx Fids he such that J C pairs{s) 
for every configuration s along tt. Then irl J is a path in Mj. 

Proof. The proof carries over from [AE98] with the straightforward modifications to deal with 
create transitions. □ 

In particular, when J = Lemma 15 forms the basis for our soundness proof, since it 

relates computations of the synthesized program V to computations of the pair-programs. 

8.1 Deadlock-Freedom 

In our dynamic model, the definition of wait-for-graph is essentially the same as the static case 
(Definition 5), except that the set of process nodes are also a function of the current configuration. 

Definition 18 (Wait-for-graph W{s)) Let s be an arbitrary configuration. The wait-for-graph 
W{s) of s is a directed bipartite graph, where 

1. the nodes ofW{s) are 

(a) the processes {Pi \ i G procs{s)}, and 

(h) the arcs {aj | i G procs{s) and ai G Pi and s\i = a^. start} 
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2. there is an edge from Pi to every node of the form ai in W{s), and 

3. there is an edge from aj to Pj in W{s) if and only if {i,j} G pairs{s) and ai G W{s) and 
s\ij(ai.guardj) = false. 

Recall that ai.guardj is the conjunct of the guard of arc a, which references the state shared by Pi 
and Pj (in effect, AVj and SHij). As before, we characterize a deadlock as the occurrence in the 
wait-for-graph of a supercycle: 

Definition 19 (Supercycle) SC is a supercycle in W(s) if and only if: 

1. SC is nonempty, 

2. if Pi G SC then for all such that ai G W{s), Pi — >ai G SC , and 

3. if ai G SC then there exists Pj such that ai — >Pj G W{s) and ai — >Pj G SC. 

Note that this definition implies that SC is a subgraph of W{s). 

To extend the wait-for-graph condition (Section 5.1.1) to the dynamic model, we need to take 

the create transitions {Rc) into account. Thus, we modify the wait-for-graph condition as follows. 
In addition to the static Wait-For-Graph Condition of Definition 7, we require that a newly added 
pair-machine have at least one of its processes initially enabled. 

Definition 20 (Dynamic wait-for-graph condition) Let k G Pids, and let tk be an arbitrary 
local state of P^, and let n be the number of outgoing arcs of t^ in P^. Let s,t be arbitrary 
configurations such that either 

1. {s,k,t) G Rn, pairs{s) = pairs(t) = {{j,k},{k,ii}, . . . ,{k,in}}, k ^ . . . ,in}, and 
t\k = tk, or 

2. (s, create, t) G Rc, pairs{s) = {{k,£i}, . . . ,{k,£n}}, pairs{t) = {{j, /c}, {/c, £i },..., {fc, 
k ^ ■ ■ ,in}, andt\k = tk. 

Then, 

yaj : {aj^Pk i W{t)) or Bofe G W{t) : (V£ G {4, ■ ■ ■ M ■ ^k^Pl ^ W{t)). 

Theorem 16 (Dynamic supercycle-free wait-for-graph) If the wait-for-graph condition holds, 
and W{sq) is supercycle-free for every initial configuration sq G Sq, then for every reachable con- 
figuration t of M-p, W{t) is supercycle-free. 

Proof. Similar to the proof of Theorem 6 with straightforward adaptations to deal with the create 
transitions (assumption 2 of Definition 20) . □ 

8.1.1 Establishing Deadlock- freedom 

We show that the absence of supercycles in the wait-for-graph of a configuration implies that there 
is at least one enabled move in that configuration. The proofs are very similar to the static case, 
and are omitted. 
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Proposition 17 (Supercycle [AE98]) // W{s) is supercycle-free, then some move Oj has no 
outgoing edges in W{s). 

Theorem 18 (Deadlock freedom) If, for every reachable configuration s of M-p, W{s) is supercycle- 
free, then M-p, So \= AGEXtrue. 

8.2 Liveness 

To assure liveness properties of the synthesized program V, we assume a form of weak fairness. Let 
CL{f) be the set of all subformulae of /, including / itself. Let ex, be an assertion that is true 
along a transition in a structure iff that transition results from executing process i. Let eui hold in 
a configuration s iff Pi has some arc that is enabled in s. Let normal be an assertion that is true 
along all transitions of M-p that are drawn from Rn- Let tt be a fullpath of M-p. Define states{7r) = 
{s I s occurs along tt}. Define procs{Tr) = [jsestates{n) procs{s), and pairsin) = \J,^states{7v) pairs{s). 

j£ oo oo 

Definition 21 (Weak blocking fairness $&(7r) = AiGprocs(7r) ^{blki A en^) =^ FeXi 

Weak blocking fairness requires that a process that is continuously enabled and in a sometimes- 
blocking state is eventually executed. 

Definition 22 (Weak eventuality fairness, 

j£ OO oo oo OO 

= A(ij)Gpair.(7r)(GenjVGenj) AGpnt^ij-^ F(exiVeXj). 

Weak eventuality fairness requires that if an eventuality is continuously pending, and one of Pj or 
Pj is continuously enabled, then eventually one of them will be executed. 

df °° 

Definition 23 (Creation fairness $c) = E normal. 

A fullpath TT satisfies creation fairness iff it contains an infinite number of normal transitions. 

A fullpath TT is fair iff vr \=l ^fe(vr) A $^('/r) A where is the satisfaction relation of 
prepositional linear-time temporal logic [Eme90, MW84]. Our overall fairness notion ^ is thus the 

conjunction of weak blocking fairness, weak eventuality fairness, and creation fairness: $ = A 

Let aenj = Va*- G : {\a^j. start} =^ Oyguard), i.e., aenj holds iff every arc of Pj whose start 
state is a component of the current ij-state Sij is also enabled in s. We say that Pfc blocks Pi in 
configuration s iff, in W{s), there is a path from Pj to P^. Define Wtij{s) to be the set of all k 
such that there is a path in W{s) from at least one of Pj or Pj to P^. Thus, Wtij{s) is the set of 
processes that block the pair-program {Sfj, Pi \\Pj) from executing some arc of P/ or Pj. 

Definition 24 (Liveness condition for dynamic programs) The liveness condition is the con- 
junction of the following: 

1. Let s be an arbitrary reachable configuration. Then, for every {i,j} € pairs{s): 
Mij, 5°. ^ AGA(Gexj Gaenj) 
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2. Let s he an arbitrary reachable configuration. For every {i, j} € pairs{s) such that s \= pnd^j, 
the following must hold. There exists a finite W Q Pids such that for all t reachable from s 
along paths in which pnd^j holds in all configurations, Wtij{t) C W. 

The first condition above is a "local one," i.e., it is evaluated on pair-programs in isolation. It 
requires that, for every pair-program {Sf^P- \\Pj), when executing in isolation, that if P- can 

execute continuously along some path, then there exists a suffix of that path along which P- does 
not block any arc of Pj. The second condition is "global," it requires that a process is not forever 
delayed because new processes which block it are constantly being added. 

Given the liveness condition and the absence of deadlocks and the use of $-fair scheduling, 
we can show that one of or Pj is guaranteed to be executed from any configuration whose ij- 

projection has a pending eventuality. Let be the satisfaction relation of CTL* when the path 
quantifiers A and E are restricted to fair fullpaths (A: for all fair fullpaths, E: for some fair fullpath) 
[EL87]. 

Lemma 19 (Progress for dynamic programs) Let s be an arbitrary reachable configuration 
and {i,j} £ pairs{s). If 

1. the liveness condition holds, and 

2. for every reachable configuration u, W{u) is supercycle-free, and 

3. Mij,s\ij \= -ihij A AF/ijj for some hij G CL{spec^j), then 

s AF(exi V exj). 

Proof. By assumption 2 and Theorem 18, M^p^Sq \= AGEXtrue. Hence every fullpath in M-p is 
infinite. Let vr be an arbitrary $-fair fullpath starting in s. If M-p,Tr \= f{exi V exj), then we are 
done. Hence we assume 

TT 1= G{-^exi A -'exj) (*) 

in the remainder of the proof. Let t be an arbitrary configuration along tt. By clause 2 of the 

liveness condition for dynamic programs (Definition 24), Wtij{t) C W for some finite W C Pids. 
Hence, these exists a configuration v along tt such that, for all subsequent configurations w along 
TT, Wtij{vu) C Wtij{v), i.e., after v, the set of processes that block {Sfj,P- \\Pj) does not increase. 
Now consider the static concurrent program Pj with interconnection relation J = {{k, 1} \ {k, 1} G 
pairs{v) and {k,l} C Wtij(v)} and initial state set {t;|"J}. By applying Lemma 10 to Pj, we 
conclude that Mj,v\J Af(exi V exj). Now let pj = 7r'"\J, where n'" is the infinite suffix of tt 
starting in v. We now establish 

Pj is an infinite path in Mj (**) 

given the assumption that (*) holds. Prom (*) and weak eventuality fairness (Definition 22), we 
see that Wtij{t) is nonempty for every configuration t along tt, since otherwise one of Pi, Pj would 
be executed. By definition, there is no path in W{t) from a process in Wtij{t) to a process outside 
Wtij{t). Hence, by assumption 2 and Proposition 17, there exists some P^ G Wtij{t) such that 
Pk has an enabled move in configuration t. Since this holds for all configurations t along tt, we 
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conclude by Weak blocking fairness (Definition 21), that infinitely often along it, some process in 
Wtij{v) is executed. Hence, by Definition 1 and the definition of J, pj is infinite. 

From Lemma 15 pj is a path in Mj. Hence, pj is a fullpath in Mj. By Definition 1, the 
first state of pj is v\J. Hence, by Mj,v\J Af(exi V exj), we have pj \= f{exi V exj). From 
Pj = Tr'"\J and Definition 1, we conclude tt^ |= F(eXj V exj). Hence, tt \= F(exj V eXj), contrary to 
assumption. □ 

8.3 The Lcirge Model Theorem for Dynamic Programs 

The large model theorem establishes the soundness of our synthesis method. The large-model 
theorem states that any subformula of spec^j which holds in the zj-projection of a configuration 
s also holds in s itself. That is, correctness properties satisfied by a pair-program executing in 
isolation also hold in the synthesized program V. 

Theorem 20 (Large model) Let i, j G Pids and let s be an arbitrary reachable configuration in 
M-p such that {{i, j}, specij) G s.T, where spec^j is an ACTL~. formula. If 

1. the liveness condition for dynamic programs holds, 

2. W{u) is supercycle-free for every reachable configuration u in M-p, and 

3. Mij,s\ij \= fij for some fij G CL{speCij), 

then 

Mv,s\=^ fij. 

Proof. The theorem follows from Theorem 18 and Lemma 19 in essentially the same way that 
Theorem 11 follows from Theorem 9 and Lemma 10, i.e., the static case. The proof is very similar, 
since the statements (but not the proofs) of Theorem 18 and Lemma 19 are identical to those of 
Theorem 9 and Lemma 10. The only difference in the proof is in dealing with create transitions. 
This is straightforward, since {Sfj,P- \\Pj) is created with its current state set to one of its reachable 
states, and so the same projection relationships hold between M-p and Mij in the dynamic case 
as between Mj and Mij in the static case, in particular. Lemma 15 provides the exact dynamic 
analogue for Lemma 3, and is the only projection result used in establishing the large model 
theorem. The only difference is that in the dynamic case the projection starts from the point 
that {Sfj,P- \\Pj) is created. Since we do not require computation paths to start from an initial 
state, this does not pose a problem. We note that the only result for static programs that involves 
reachability is Corollary 4, and this is only used to establish deadlock-freedom for the static case. 
For the dynamic case, deadlock freedom is guaranteed by the dynamic wait-for-graph condition 
(Definition 20), which contains an explicit clause (clause 2) to deal with creation. □ 

We note the important case of fij = AGgij, i.e., fij expresses a global property, since gij holds 
in all configurations reachable from s. 

9 Implementation in Atomic read/write Shared Memory 

Wc now show how the synthesized program can be implemented in atomic read/write memory. 
To break down the atomicity of an arc in the synthesized program, we require that, in all pair- 
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programs, all guards are temporarily stable, [Kat86], that is, once the guard holds, it continues to 
hold until some arc is executed, not necessarily the arc corresponding to the guard. 

We generalize this discussion as follows. Let (sj, ©^gj^j-B^ — > A^,ti) be an arc of in pair- 
program {Sfj,P- \\Pj)- We require 

Mij, 5P- N AteN AG((|sif A By ^ A[({.,| A Uw ^s^]). (TSTAB) 

Now consider, in process Pi of V, the arc in Pj to ij. By Definition 15, this arc has the label 
'^jes.i{i)®ee[i:nj]Bi e ~^ ^ie '^^ configuration s. Since Pi will be explicitly involved in any creation 
step which adds a pair of which Pj is a member, we assume that this label does not change, for the 
time being. Now, Pj can evaluate each of the Bf^ sequentially, rather than simultaneously, since 

once true, each Bj ^ will remain true until Pj executes either the above arc or some other arc. Once 

Pi has observed that j G s.I{i), there exists i £ [1 : Uj] such that B^^ holds, then P, can execute the 
arc. The condition (TSTAB) can be checked in polynomial time by the model-checking algorithm 
of [CES86]. 

Execution of the arc will also involve the simultaneous execution of the assignments A'-^. To 
break this multiple assignment down into atomic read and write operations, we use efficient solu- 
tions to the dining/drinking philosophers problem [SPSS, CMS8] to guarantee mutual exclusion of 
neighboring processes. Once a process has excluded all its neighbors (i.e., it "has all the forks"), 
it can then perform the multiple assignment sequentially. The following subsection gives details of 
this implementation. 

As an alternative to using dining/drinking philosophers, if we have available hardware operations 
such as compare-and-swap. or load-linked/store conditional, then we can use the constructions of 
[Moi97, MoiOO]. These algorithms permit the efficient, wait-free implementation of the multiple 
assignments. 

9.1 Implementation using underlying dining/drinking philosophers algorithm 

The problem is to implement every move Oj = '^j^s.i{i)®ee[i:nj]^i e ^le every process Pj, 
in configuration s. The implementation consists of the following three procedures. The first, 
POLL(Pj, Qi) repeatedly polls all the guards of the move Oj, until a guard Bf^ for each neighbor Pj 
of Pj is found which is true. When this occurs, the move can be executed. 

POLL(Pi,ai) 

1. X[ai] := s.I{i)- 

2. repeat 

poh all the bI^ for j G X, £ G [1 : rij]; 

for every j such that B^^ polled true for some i 

X:=X- {j}; 

choice'^ [oj] := i 
until X[ai] = 

Now in a local state Si, Pi will usually have a choice of several moves. The second procedure, 
CHOOSE(Pj, Si), repeatedly poll the guards of all such moves, until one is found all of whose guards 
are true. This move can then be executed by Pj. The actual execution is carried out by the 
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EXECUTE(i-'i, Si) procedure. ExECUTE(Pj, Sj) first invokes CHOOSE(i-'j, Sj) to determine which move 
to execute. It then obtains the exclusive access to all the shared variables that execution of Oj 
updates, and exclusive access to the atomic propositions of Pj. Once all necessary locks are obtained, 
the move chosen move can be executed in an "atomic" manner. 

CHOOSE(fj, Si) 

1. Let aj . . . be all the moves of Pi with start state s^; 

2. Invoke POLL(Pj, a|) . . . POLL(Pj, ) simultaneously, and in an "interleaved" manner, i.e., interleave 
the executions of POLL(Pj, aj) . . . POLL(Pi, a^); 

3. Let a? = (sj, <8)jes.x(j)©£e[i;nj]-Si ^ ~^ ^ii^'^i) t>e the first move for which X[a^] = becomes true 

4. return(a?, c/iozce^) 



EXECUTE(Pj, Si) 

1. Invoke CHOOSE(Pj, Sj) and let a'^,choicel be the returned values; 

2. forall j e s.I{i) do 

obtain a lock on all variables in Aj^, i = choice'^[af\, e.g., by using a drinking philosophers algorithm; 
obtain a lock on the atomic propositions of Pi (i.e., those in AVi) 

3. forall j G s.X{i) do 

execute ^4^^, i = choice'^[af\\ 
change the local state of Pi to U 

4. forall j G s.X{i) do 

5. release all locks 



The overall implementation is given by the procedure MAiN(Pj), which implements the process 
Pi. MAlN(Pi) repeatedly invokes ExECUTE(Pi, s^), where Sj is the current local state of Pj. The 
low-level concurrent program P,. is then given by the concurrent composition of MAIN (Pj) for every 
process Pj that has been created so far. Let be the global state transition diagram of P^. My 
can be formally defined in a similar manner to Mp (Definition 17). 

MAIN(Pj) 

1. Let Si be an initial local state of P^; 

2. repeat forever 

invoke ExECUTE(Pj, Sj); 

update Si to be the resulting local state of P^; 

3. participate in any outstanding Create protocols, if a request to suspend execution has 
been received 

Note that Pj participates in executions of Create only when it is not executing normal tran- 
sitions. This prevents the interleaving of the low atomicity implementations of normal and create 
transitions. Thus, in particular, during the low atomicity execution of a single normal transi- 
tion, the value of s.I{i), i.e., the set of neighbors of Pj, does not change. This is essential to the 
correctness of the implementation. 
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9.2 Soundness of the Implementation in Atomic read/write sheired memory 



We show that satisfies the same ACTL^jj formulae as M-p. Roughly, we can consider to 
consist of a "stretched out" version of Mp, in which each transition of M-p is replaced by a sequence 
of transitions, together with all of the possible interleavings that result from this refinement of the 
transitions in M-p . Due to our use of locking, this refinement does not generate any configurations 
that are unreachable in Mp. Likewise, paths in have "corresponding" paths in Mp. Hence, so 
correctness is preserved. 

Let s, u be configurations of Mp, M^. respectively. Then define s ~ u iff Vp G AV : s{p) = u{p) 
and (Vx G SH : s{x) = u{x)). Let 7r,p be fullpaths of Mp, Mr respectively. Then define tt ~ p iff 
TT can be written as a sequence of finite bocks of configurations 7ri,7r2, . . ., p can be written as a 
sequence of finite bocks of configurations pi, p2, . . and for all i > 0, for every s in tTj and every u 
in pi, s u. 

Lemma 21 Let s,u be configurations of Mp, Mr respectively such that s ^ u. Then, for every 
fullpath p of Mr starting in u, there exists a fullpath tt of Mp starting in s such that vr ~ p. 

Proof. We assume that line 3 of ExECUTE(i'j, Sj) is executed atomically. This is reasonable, since 
exclusive access locks to all the shared variables and atomic propositions modified by line 3 of 
ExECUTE(Pj, Sj) are obtained first. We do not assume the atomic execution of any other part of 
the implementation algorithm. 

Given p, consider the subsequence of the transitions of p given by the transitions that correspond 
to the execution of line 3 of EXECUTE(Pj, Si). These are the only transitions of p which change 
the shared variables and atomic propositions, and so affect the truth of ~. From the construction 
of the implementation algorithm, we can show that there exists a fullpath tt of M-p starting in s 
which executes the same sequence of changes to the shared variables and atomic propositions. It 
follows that TT ~ p. □ 

Theorem 22 Lets,u be configurations ofMp, Mr respectively such that s ^ u. LetTT,p be fullpaths 
of Mp, Mr respectively such that tt ~ p. Let f be any formula o/ ACTL* — X. Then, 

If M-p, s |=$ /, then Mr,u |=$ /. 

If M-p, IT \=i^ f, then Mr,p f. 

Proof. The proof is by induction on the structure of /, i.e., by induction on the number of times 
rules S2, S3, and Pl-3 of the definition of ACTL* syntax are applied to generate /. Rule SI of 
that definition gives the base case. 

Base case: f is one of true, false, p, ^p for some atomic proposition p. Since s and u agree on 
all atomic propositions, Mr,u |= / follows immediately from Mp,s \= f. 

Induction step: There are several cases. 

Case 1: S2 is applied, and f is gV h, a state formula. Hence Mp, s \= gV h. By ACTL* semantics, 
Mp, s \= g or Mp, s \= h. By the induction hypothesis, Mr, u \= g or Mr, u \= h. Hence, by ACTL* 
semantics, Mr,u \= gV h. 

Case 2: S2 is applied, and f is g Ah, a state formula. Hence Mp, s \= g Ah. By ACTL* semantics, 
Mp,s \= g and Mp,s \= h. By the induction hypothesis, Mr,u \= g and Mr,u \= h. Hence, by 
ACTL* semantics, Mr,u \= g Ah. 
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Case 3: S3 is applied, and / is Ag, a state formula. Hence 5 is a path formula. Assume M-p, s \= Ag. 
Let p be an arbitrary fullpath of starting in u. By Lemma 21, there exists a fuUpath vr of M-p 
starting in s such that tt ~ p. Since M-p, s \= Ag, we have M-p, vr |= by ACTL* semantics. From 
TT ~ /9 and the induction hypothesis, we obtain Mr, p \= g. Since p was chosen arbitrarily from the 
fullpaths starting in u, we conclude Mr,u \= Ag, by ACTL* semantics. 

Case 4: PI is applied, and / is g, where / is a path formula and g is a state formula.. Assume 
M-p,'K \= f. Hence, M-p, s \= g, where s is the first state of tt. Let u be the first state of p. Then, 
s ~ n, by the definition of tt ~ p. By the induction hypothesis, M-p,s \= g, and s ~ u, we obtain 
Mr,u \= g. Hence, by ACTL* semantics, M,p \= f. 

Case 5: P2 is applied, and f is g\/ h, a path formula. Hence M-p, tt \= g\/ h. By ACTL* semantics, 
Mp,iT \= g or M-p, tt \= h. By the induction hypothesis, M^, p \= g or Mj., p \= h. Hence, by ACTL* 
semantics, M^, p \= gV h. 

Case 6: P2 is applied, and f is gAh, a path formula. Hence Mp,n \= gAh. By ACTL* semantics, 
Mp,-K \= g and Mp,TT |= h. By the induction hypothesis, Mr,p \= g and Mr,p \= h. Hence, by 
ACTL* semantics, Mr,p\= g Ah. 

Case 7: P3 is applied, and / is gUh, a path formula. Assume Mp, vr |= /. Hence, there exists i > 1 
such that Mp,7r* |= h and (Vi : 1 < i < i' : Mp,7r* \= g). Let j' be the smallest natural number 
such that TT* ~ p-' . By the induction hypothesis, Mr,p^ \= h. Let j be any natural number such 
that 1 < j < f- By the definition of tt ^ p, there exists some i such that 1 < i < i' and tt' ~ p^ . 
Since 1 < i < i' , we have Mp,7r* \= g. Hence, by the induction hypothesis, Mr,p' \= g. We have 
thus shown Mr, p^' |= h and (Vj : 1 < j < f : Mr, p' |= g). By ACTL* semantics, M^, p |= 

Case 8: P3 is applied, and / is g^-iwh, a path formula. Assume M-p, it \= f. Hence, by ACTL* 

semantics, Mp,iT \= g\Jh or Mp,7r \= Gg. Mp,TT \= g\Jh is just Case 6 above. Mp,7r |= Ggh can 
also be treated with an argument analogous to that of Case 6. Hence, we can establish Mr, p \= g(ih 
or Mr,p \= Gg. Thus, Mr,p \= gU^h. □ 

Theorem 23 (Large model theorem for low-atomicity implementation) Leti,j G Pids and 
let u be an arbitrary reachable configuration in Mr such that {{i,j}, specij) G u.I, where spec^j is 
an ACTL". formula. If 

1. the liveness condition for dynamic programs holds, 

2. W{v) is supercycle-free for every reachable configuration v in Mr, and 

3. Mij,s\ij ^ fij for some fij G CL{speCij), 
then 

Mr,u\=^ fij. 

Proof. Immediate from Theorem 20 and Theorem 22. □ 

10 Example — The Eventually Serializable Data Service 

The eventually-serializable data service (ESDS) of [FGL+99, LLSG92] is a replicated, distributed 
data service that trades off immediate consistency for improved efficiency. A shared data object is 
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replicated, and the response to an operation at a particular replica may be out of date, i.e., not 
reflecting the effects of other operations that have not yet been received by that replica. Thus, 
operations may be reordered after the response is issued. Replicas communicate amongst each 
other the operations they receive, so that eventually every operation "stabilizes," i.e., its ordering 
is fixed with respect to all other operations. Clients may require an operation to be strict, i.e., 
stable at the time of response (and so it cannot be reordered after the response is issued). Clients 
may also specify, in an operation x, a set x.prev of other operations that should precede x (client- 
specified constraints, CSC). We let O be the (countable) set of all operations, TZ the set of all 
replicas (which may increase dynamically), client{x) be the client issuing operation x, replica{x) 
be the replica that handles operation x. We use x to index over operations, c to index over clients, 
and r, r' to index over replicas. For each operation x, we define a client process and a replica 
process R^, where c = client{x), r = replica{x). Thus, a client consists of many processes, one for 
each operation it issues. As the client issues operations, these processes are created dynamically. 
Likewise a replica consists of many processes, one for each operation it processes. Thus, we can 
use dynamic process creation and finite-state processes to model an infinite-state system, such as 
the one here, which in general handles an unbounded number of operations with time. The pair- 
specifications are as follows. The local structure specification of a process are implicitly conjoined 
with any pair-specification referring to that process. The atomic predicates have the following 
meaning for operation x. in is the initial state, wt means that x is submitted but not yet done, dn 
means that x is done, st means that x is table, snt means that the result of x has been sent to the 
client. We give pair-programs for a strict operation x. The pair-programs for a non-strict operation 
are similar, except that the transitions from dn^ to stf. to [stf. sntf.] can also be performed in the 
reverse order (i.e., there is a branch from the dnf. state), since the result of x can be sent before x 
stabilizes. For example. Figure 11 gives the pair-program when x is not strict. 

Local structure of clients 
in^: X is initially pending 

AG(in^ {kXcWt% A EXcWi^)) A kG{wtl kX^dnl) A AG(dra^ ^ {kX^dn^ A EXcdn^)): moves 
from in% to wif^ to dn^, and thereafter remains in dn^, and can always move from to 

kQ{{in% = -'{wt^ V dn^)) A {wt% = -'{inc V dn^)) A {dn^ = -'{in^ V wi?^))): is always in exactly 
one of the states in^ (initial state), wt^ {x has been submitted, and the client is waiting for a 
response), or dn% {x is done). 

Local structure of replicas Rf. This is as shown in Figures 8, 9, and 10. We omit the temporal 
logic formulae to save space. They are constructed in an analogous manner to those for the clients 

Client-replica interaction, \\ Rf, x E O, c = client{x), r = replica{x) 
kG{wtf wt^): x is not received by its replica before it is submitted 
kG{wt^ kFwtf): every submitted x is eventually received by its replica 
kG{wt^ kFdnf): every submitted x is eventually performed 
AG(dn^ kGdnf): once an operation x is done, it remains done 

CSC constraints, pair-machine Rf\\Rf,, x eO, x' E x.prev, r = replica{x), r' = replica{x') 

kG{dnf =^ dn^i): every operation in x.prev is performed before x is 

kG{dnf kGdnf) A kG{dnf', =^ kGdnf',): once an operation is done, it remains done 
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Figure 8: Client-replica interaction: pair-program \\Rr^ f = replica{x). 




Figure 9: CSC constraints: pair-program r = replica(x), x' G x.prev, r' = replica{x'). 

Strictness constraints, pair-machine 11-^^'' G O, x. strict, r = replica{x), r' G TZ— {replica {x)} 

AG{sntf ^ /\- stf): a strict operation is not performed until it is stable at all replicas 

AG(sntf =^ AGsnt'f) A AG(stJ: =^ AGst^): once operation results are sent, they remain sent, and once 
an operation is stable, it remains stable 

Eventual stabilization, Rf. \\ R^.,, x £ O, r = replica(x), r' £ TZ — {replica{x)} 
AG{tvtf. =^ /\- Afstf): every submitted operation eventually stabilizes 

Rule for Dynamic process creation At any point, a client Cc can create the pair-programs re- 
quired for the processing of a new operation x, for which client{x) = Cc- These pair-programs 
are C^ \\ Rr where r = replica{x), R^ || R^, where x' G x.prev, r' = replica{x'), and R^ \\ Rf 
r = replica{x), i E TZ. It is permissible for replica{x) to be a "new" replica, i.e., one that cur- 
rently does not occur in any pair-program. Thus, the set of "current replicas" can be expanded 
at run-time. This is done implicitly when the first operation which is processed by that replica is 
instantiated. Likewise, a "new" client can submit an operation for the first time. Thus, clients can 



[lbr{x) := next(lbr)\ [v := val(x,lbr)\ 




Figure 10: The Pair-program Rf. || Rf,, when x is strict, r = replica{x), r' eTZ — {replica{x)} . 
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[Ibr'ix) := lbr(x)] 




Figure 11: The Pair-program \\R^,, when x is not strict 

also be created dynamically. 

For each pair-specification, we synthesize a pair-program satisfying it, e.g., using the method 
of [EC82]. Figures 8, 9, and 10 show the resulting pair-programs. We then apply Definition 15 to 
synthesize the ESDS program with a dynamic number of clients and replicas, shown in Figure 12. 
The ESDS program, and the pair-program Rf. \ \ R^., of Figure 10 both manipulate some "underlying" 
data, i.e., data which is updated, but not referenced in any guard, and so does not affect control- 
flow. This data consists of a labeling function Ibr which assigns to each operation x at replica r a 
label, drawn from a well-ordered set. The assignment lbr{x) := next{lbr) takes the smallest label 
not yet allocated by Ibj- and assigns it to lbr{x). The labels encode ordering information for the 
operations. The assignment v := val{x, Ibr) computes a value v for operation x, using the ordering 
given by Ibr'. operations with a smaller label are ordered before operations with a larger label. 
In the figures, these assignments to underlying data are shown within [..] brackets, alongside the 
arc-labels obtained by pairwisc synthesis. They arc not used when verifying correctness properties; 
the ordering constraints given by the x.prev sets are sufficient to verify that the client-specified 
constraints are obeyed. Finally, we add self-loops to the final local state of every process for 
technical reasons related to establishing deadlock-freedom. 

Correctness of the ESDS program follows immediately from Theorem 20, since the conjunction 

of the pair-specifications gives us the desired correctness properties (formulae of the forms AG{pi =^ 
AXiQi), AG{pi ^ EXjgfj) are not in ACTL^^., but were shown to be preserved in [AE98], and the 
proof given there still applies). 

11 Conclusions and Further Work 

We presented a synthesis method which deals with an arbitrary and dynamically changing number 
of component processes without incurring the exponential overhead due to state-explosion. Our 
method applies to any process interconnection scheme, does not make any assumption of similarity 
among the component processes, preserves all pairwise correctness properties expressed as nexttime- 
free formulae of ACTL, and produces efficient low-grain atomicity programs which require only 
operations commonly available in hardware. 
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Figure 12: The Synthesized ESDS System, c = client{x), r = replica{x). x' ranges over x.prev, 
and r' ranges over 71' = TZ — {replica{x)} in (g),./. W^, is not shown since it is isomorphic to Rf. 

Further work includes extending the method to a model of concurrent computation which facil- 
itates abstraction and refinement, via a notion of external behavior, such as the model of [ALOl], 
which also handles dynamic process creation. We also plan to deal with fault-tolerance by in- 
corporating the work of [AAE98], and to investigate extending the method to other models of 
computation such as real-time and probabilistic. 
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